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DESCRIPTION 

METHOD AND DEVICE FOR CALCULATING A FUNCTION FROM A LARGE 

NUMBER OF INPUTS 

Technical Field 

The present Invention relates to a method of calculating, when inputs for a 
given function are dispersed and held in a plurality of devices, an output of this 
function while these devices are working together, and more particularly to a 
method and system for performing a calculation by a fixed number of times 
irrespective of a function In which the number of times for each device to perform 
communication with another device is given. 

Background Art 

As a prior art regarding a method of calculating, when Inputs for a given 
function are dispersed and held In a plurality of devices, an output of this function 
while these devices are working together, a method is proposed by Beaver. 
Micali. and Rogaway in paper "D. Beaver. S. MIcall. and P. Rogaway. The round 
complexity of secure protocols', Annual ACM Symposium on Theory of 
Computing 22. pages 503-513. 1990". This paper Is hereinafter referred to as 
Non-patent Document 1 . 

The technology disclosed In Non-patent Document 1 relates to a method 
of calculating, when the number of calculators Ua who are connected to one 
another via a network is A. each of the calculators has a secret input Xo. and an 

arbitrary function g is given, an output g(xi A) while the calculators work 

together, wherein the secret of each of the calculators is not leaked beyond 
30^^ 3"*^ number of times for performing communication necessary for 
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the calculation with is a fixed number. The technology disclosed In Non-patent 
Document 1 will be described with reference to Figs. 1, 2 and 19. 

[Garbled circuit] 

[Syntax] 

A circuit f includes m logic gates. Each gate Is denoted by symbols 

Gi Gi Gm. As shown in Fig. 19. each gate has two inputs and one output. 

Each output may be input to a plurality of gates. An output line of Gr is generally 
input to a plurality of gates but all signals flowing through the line have the same 
value of 0 or 1 . Then, all line output from the gate Gk are referred to as wi,. The 
number of line input to the circuit f is n. which is expressed as follows. 

{wl<> k = m+1 m+n. Then. Wi....,W| denote the output of the circuit f. 

The number of calculators is A, and a set of the calculators is expressed as 
follows. 

{"<°')a.1 K 

The number of bits input by u^^^ to the circuit f is Iq . 

With respect to (Iq^I^'q = k = m + 1, n^ + n where the sum of those 
bits is set as n. a bit input to each Wk is represented by bk, and each of the bits is 
allocated to u^°^ by the number of Iq in the following manner. That is, u^^) 
determines the following set 

{bk €{0.l}}k=m + lp=-i °"^lp+1 m + Zp:=i°lp 

When outputs of the gates Gi and Gj are input to the gate Gr, a relation 
between the output bj of Gj and the output bk of Gr is represented as follows, 
bk =bj@G[k]bj 

Then, □ denotes exclusive OR of the bit and • denotes a character string 
sequences. 



t denotes a safety variable, and G. H. and F denote pseudorandom 
number generating devices for output character strings of tA bits. 
[Construction] 

A protocol is roughly divided into three processes which are (1) an input 
process 402. (2) a parallel constnjction process 400 of a garbled circuit based oi 
a calculation performed by a large number of people, and (3) a result output 
process 401 for performing an input disclosure and a circuit calculation. 

The Input process 402 is performed in the following manner. Information 
on a circuit for performing the calculation. Information on another calculator, and 
input data of each device are input to each device. 

The parallel construction process 400 of the garbled circuit is performed ir 
the following manner. In a procedure of this process, as shown In Fig, 2. a 
phase 502 in which A computers 501 individually performs the calculation and a 
phase 503 In which all the computers perform communication with one another 
are alternately performed. Then, the number of performing the repetition is set 
as a fixed number 504. and whatever function is desired to be calculated, the 
following process can be completed. Also, in each communication phase, each 
of the computers transmits data to all of the other computers. In order to 
generate the data transmitted at this time, transmission data of other computers 
In the same communication phase of this transmission should not be needed. 
That is, when there is a transmission which should wait for data of other 
computers, the communication phase in which this transmission is performed is 
counted as a different communication phase from the communication phase in 
which data Is waited for. 

[1] In cooperation with one another, the calculators uniquely and randomly 
generate a set of character strings of bits and a set of bits so that these sets are 
secretly dispersed to all the calculators. 



{s^k's«keR{0.1}t}k=i m+n:a=t.... A 

{Pk eR{0.1}} 
Wherein 

SK:=Sh^s,2....Sk^ 
S'r: = s'k^-s'k^.... sV\ 

Regarding {Sk},{pk}. if AkDbk=0. In the calculation phase of the circuit. Sr is 
made public, and if A^abk"!, S'r is made public. 

[2] For each of the calculators Uq . the following data Is revealed. 

{s°k}k=1 m+n 

[3] With respect to k=1 m+n. each of the calculators Uq calculates the 

following character strings of tA bits. 

g°k-G(s°K) 
g'°k-G(s'°k) 
h°k=H(sak) 
h'°k = H(s'°k) 
1\ =F(s°k) 
f'°k =F(s'°k ) 

Then, each of the calculators Uq commits the following data to prove to 
the other calculators that these values are calculated correctly. 

{g°k'. g'^k' . h^k'. h'^k' . f °k'. r\' )k 

[4] With respect to k=1, .... m+n. the calculators secretly perform the 
following calculation in a dispersed manner. 
cr„'-...CT/ = if X^Db,, = 0 
cfKV..<y/=SVifX,nb,=1 

[5] In cooperation with one another, with respect to k=1, .... m+n. the 
calculators secretly perform the following calculation in a dispersed manner. 
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A, = g; □ ... Dg,^ ng/ □ ... Dg^^ Qs^ if p,@^^^j ^ 

A, =g;n...ng,^ □g/n...ng,^ □S',ifp,@^,,,p^^p^ 

B, =h,'n...nh,^ □gVD...ng',^ □sjfp,@^,,,Pj =p^ 
B,=h/D...Dh,^ ngVa-ag? □s';ifp,@3,,,p',^p^ 
c, = gVD...ng',^ □h;n..,nh,^ □s,ifp-@3j,,p, =p^ 
c, = gVn...ng',^ □h;D...nh,^ □s',ifp',@,,,,Pj ^p^ 

D,=hVa...Dh',^ □gVn...D9',^ □SJfp'.O.^jp- =p^ 

It should be noted that a signal input to the gate Gr is outputs of the gate 
G, and the gate Gj. This state Is shown In Fig. ig. The disclosure of the input 
and the generation of the circuit in the result output process 401 are performed 
as follows. 

[1] The calculators reveal the following data. 

(Pk) M I 

{^c } lc=1._,m+n:o=1.._.X 
{Ok ••••• V> l..1.._m*n 

[2] With respect to k=1 m+n. in an order from k which is closer to the 

input of the circuit, from Sj or S'l. and Sj or S'j. S*k is obtained as follows. This 
refers to Sr or SV. 

Sr' =AKDg;a...ng* □g/a...Dg,^ if S,.S, are processed 
S/ = B,D h,' □ ... Dh,^ DgV □ ... Dg',* if S,.S'j are processed 
Sk' = CkD g',' □ ... □g*,'^ Dh/ □ ... Dh,^ if S', .S', are processed 
S/ = D^D h'/ □ ... Dh',^ DgV □ ... □g','^ if S'.. .S'j are processed 

[3] With respect to all of a=1 A; k=1 m+n. by checking the following. 

S*k=Sk or S*k=S'k is confirmed. 
f"M=F(s"k). 
fVPCs'-k) 
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[4] With respect to k=1. .... m+n. when all the calculators obtain Sk. Pk+ bk 
= 0 is established, and when all the calculators obtain S'k, pk + bh = 1 Is 
established, thereby finding out bk. 

As other prior art for such a method as described in the section of 
Technical Field, there is a method proposed by Ishai and Kushilevitz in paper "Y. 
Ishai and E. Kushilevitz. 'Randomizing Polynomials: A new Representation with 
Applications to Round-Efficient Secure Computation'. IEEE Symposium on 
Foundations of Computer Science 2000. pages 294-304". Hereafter, this paper 
is referred to as Non-patent Document 2. The prior art of Non-patent Document 
2 will be described with reference to Figs. 3 and 4. 

[Randomizing polynomial] 

Non-patent Document 2 proposes a method of expressing a given function 
by a low order polynomial on the finite field. In particular. Non-patent Document 
2 demonstrates that an arbitrary function can be expressed by a third polynomial. 
Evaluation of a low order polynomial can be performed by performing a round by 
a fixed number of times. In general, the function can be expressed in various 
forms such as a circuit. 

A blanching problem described next can be expressed by a general 
function. A blanching problem BP = (G.(p. s.t) is refered to a mod-p blanching 
problem. G = (V, E) is a directed graph, (p Is a labeling function for labeling one 
of 1, x\, and the negation x°i to each of the sides. Then, s and t are special 
apexes. 

When an Input x = (xi Xn) is given, from the labeling function <p. a 

partial graph Gx of G is given. A value of a Boolean function f calculated by is 
f(x) = 0 when a remainder obtained through division of the number of routes 
connecting s with t in G* by p is 0. and othenvise the value is f(x) = 1. The 
magnitude of BP is set as the number of the apexes of G. 

The magnitude of BP is set as I. When a IXtimesI adjacency matrix of the 
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partial graph Gx is expressed as Hx, the number of routes connecting s-t is 
obtained as follows. 

(I+Hx + Hx^+ s)6t= ((VHx) '')st mod p 

= det Mx / det (l-Hx) } mod p 
Wherein Mx is a matrix obtained by excluding a row s and a column t from the 
matrix (l-Hx). Therefore, the following data Is found out 

f(x) = 0 <=> rank (Mx) = 1-1 

f(x) -0<^ rank (Mx) = I 

Then, Mx includes an at most first order component with respect to x. 
[Calculation method] 

A method of obtaining f(x) by using the randomizing polynomial method 
when the Boolean function f is given and the input is distributed to a plurality of 
calculators. 

As shown in Fig. 3, 

[1] Information on a function to be calculated, information on another 
calculator, and Input data of each device are input to each device (605). 

[21 BP Is constructed which corresponds to f (600). 

[3] The following processes are performed in parallel by the sufficient 
number of times. 

[Process] 

As shown in Fig. 4, 

All the calculators disperse each component to uniquely and randomly 
generate be! matrices R,. R2 (603) for calculating RiMxR2 which is a product of 
three matrices Ri, Mx, R2 (604). 

Each component is an at most third expression of components of Ri. R2, x. 

[4] From all the values of rankRiMxR2, it is presumed whether or not rank 
of Mx is I. When the probability that rank of Mx is I is high. 1 is output, and 
otherwise 0 is output (602). 
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In the above-mentioned method, when rank (Mx) = rank (M'x), distributions 
of RiMxR2 and RiM xRz become the same, a new matter is not leaked other than 
f(x) with respect to x. 

Furthermore, when rank (Mx) = I with- respect to any I, the probability of 
rank (RiM^Rz) = I is larger than 0.08. Thus, the number of times for performing 
the process of Item 2 does not rely on 1. 

[Calculation amount and communication amount] 

In the method using the garbled circuit, the calculation with respect to 
each gate is individually performed, and the entire calculation amount and 
communication amount are proportional to the number of gates, t-n threshold 
dispersion (proportional to 2tl The calculation in the t-n threshold dispersion 
refers to a calculation method in which the secret is dispersed to n calculators. 
Among the calculators, unless t calculators gather the data which each of them 
knows by itself. It is Impossible to find out the dispersed secret or meaningful 
data in the middle of the calculation. 

In the method using the randomizing polynomial, In the case where the t-n 
threshold dispersion is performed, the round number becomes 2(3) in proportion 
to t^ and the square of the magnitude of BR 

The communication amount and calculation amount in the randomizing 
polynomial method are proportional to the at most first order of the number of 
gates. Moreover, a coefficient of the highest order is substantially lower than that 
of the randomizing polynomial method and therefore efficient 

However, here, particular attention is paid to the case where t > n/2 Is 
satisfied in the t-n threshold dispersion and a third party demands the verification 
of the calculation validity. In such a case, it is obviously applicable to extend the 
above-mentioned method. The result of the extension shows that the entire 
communication amount and calculation amount in the method using the garbled 
circuit are proportional to the number of gates and t3. When method using the 
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randomizing polynomial is used, the communication amount and calculation 
amount are proportional to 1.5-th power of the number of gates. When the 
number of gates is larger, the method is not efficient. 

A first problem resides in that the method of Non-patent Document 1 
requires an enormous calculation amount of each calculator and an enormous 
calculation amount of a verifier who verifies the calculation validity. 

This is because as each calculator needs to calculate the output of the 
pseudorandom number generating device, it is necessary to prove the 
calculation correctness while the calculation result is hidden. 

A second problem resides in that the method of Non-patent Document 2 
also requires an enormous calculation amount of each calculator and an 
enormous calculation amount of the verifier who verifies the calculation validity. 

This is because the calculation amount performed by each calculator is in 
proportion to 1 .5-th power of the number of gates in the case of expressing the 
function by the circuit and often the number of gates is extremely large. Thus the 
entire calculation amount becomes enormous. 

Disclosure of Invention 

An object of the present invention provides is to provide a method and 
system for performing a calculation by fixed times irrespective of a function in 
which the number of computers is suppressed to be proportional to the number 
of gates even when the number of gates is larger, the computers do not need to 
calculate outputs of pseudorandom number generating devices whose 
calculation validity should be proved, and the number of performing 
communication by the computer becomes a fixed number irrespective of a 
function. 

According to an aspect of the present invention, there is provided a 
method of calculating a value of a given function by using an apparatus that 
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includes a plurality of computers, including: 
an input process; and 
an output process, 

characterized in that the input process inputs a circuit and an input bit to 
the circuit to the plurality of computers, and 

one of the computers firstly performs calculation and transmits the 
calculation result to another computer and the another computer which has 
received the calculation result performs the next calculation such that calculation 
is performed by one computer after another, and when all the computers have 
performed calculation once, the last computer which has performed calculation 
transmits the calculation result to the first computer which has performed 
calculation, and after this, calculation is performed by one computer after another 
and the calculation result is transmitted to the next computer such that the 
calculation of each cycle is repeated. 

According to another aspect of the present Invention, there is provided a 
method of calculating a value of a given function by using an apparatus that 
includes a plurality of computers, including: 

an input process; 

an EIGamal cipher text preparation process; 

a sequential substitution reencryption process; and 

a result output process, 

characterized in that the input process Includes an information input step 
of inputting to the plurality of computers Information on a circuit Including a 
plurality of gates and Information on the plurality of computers, and a dispersion 
Input step of Inputting to each of the computers each one of plural pieces of 
partial data which are obtained by dispersing input data of the function into plural 
pieces by the number of the computers, 

the EIGamal cipher text preparation process includes an EIGamal cipher 
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text preparation step of generating a set of EIGamal cipher texts In wlilch at least 
one of the computers corresponds to the gate of the circuit that realizes the given 
function, 

the sequential substitution reencryption process includes a step of allowing 
each of the computers to perform a substitution reencryption process one after 
another, and the substitution reencryption process includes a cipher text 
obtaining step of allowing the computer in this turn to receive the set of EIGamal 
cipher texts from the computer in the previous turn, a cipher text substitution and 
reencryption step of changing an order of the set of cipher texts received in the 
cipher text obtaining step for substitution and subjecting those cipher texts to 
reencryption. and a step of disclosing the data generated in the cipher text 
substitution and reencryption step to at least the computer in the next order, and 

the result output process includes a partial decryption step of deciphering 
or partially deciphering a part of the cipher texts generated in the cipher text 
substitution and reencryption step, a decryption step of deciphering a cipher text 
that enciphers data corresponding to the input to the circuit in the cipher texts 
generated in the cipher text substitution and reencryption step, and an evaluation 
step of evaluating an output of the circuit by using the data deciphered in the 
decryption step and the data partially deciphered in the partial decryption step. 

In this case, the following construction may be adopted that the set of 
EIGamal cipher texts corresponding to each of the gates is a set of EIGamal 
cipher texts of a secret key generated corresponding to each of the gate by each 
of the computers, and 

a public key used for generating the EIGamal cipher texts is a sum of 
public keys corresponding to gates for generating two signals input to this gate. 

Furthermore, the following construction may be adopted that the Input 
process further includes a step of inputting an area variable of an EIGamal 
encryption method to each of the computers. 
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the EIGamal cipher text preparation process further includes a gate secret 
key generating step of generating a secret key of the EIGamal cipher texts 
corresponding to each of the gates of the circuit by each of the computers. 

each of the computers performs: 

a gate public key generating step of generating a gate public key 
corresponding to the secret key generated in the gate secret key generating step. 

a gate public key validity proof generating step of generating a gate public 
key validity proof for the public key generated in the gate public key generating 
step, 

a gate public key validity proof disclosing step of disclosing the gate public 
key validity proof generated in the gate public key validity proof generating step. 

an Input gate secret key generating step of generating a secret key of the 
EIGamal cipher texts corresponding to a gate where an input is directly made to 
the circuit of the gates of the circuit, 

an input gate public key generating step of generating an input gate public 
key corresponding to the secret key generated in the input gate secret key 
generating step, 

an input gate public key validity proof generating step of generating a 
validity proof for the public key generated in the input gate public key generating 
step, 

an input gate public key validity proof disclosing step of disclosing the 
input public key validity pnjof generated In the input gate public key validity proof 
generating step, 

a gate public key obtaining step of obtaining gate public keys generated by i 
other respective computers. 

a gate public key integration step of integrating the gate public keys 
obtained in the gate public key obtaining step, 

a gate public key encryption step of enciphering the gate secret key 
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generated by this computer with the gate public key integrated in the gate public 
key integration step. 

a gate secret key cipher text disclosing step of disclosing a gate secret key 
cipher text generated in the gate public key encryption step, 

a gate secret key cipher text validity proof generating step of generating a 
validity proof for the gate secret key cipher text. 

a gate secret key cipher text validity proof disclosing step of disclosing the 
gate secret key cipher text validity proof generated in the gate secret key cipher 
text validity proof generating step. 

an Input cipher text generating step of generating a cipher text 
corresponding to a part of the input of the circuit input to each of the computers. 

an input cipher text validity proof generating step of generating a validity 
proof for the cipher text corresponding to the part of the input of the circuit 
generated in the input cipher text generating step, 

an Input cipher text validity proof disclosing step of disclosing the proof 
generated in the input cipher text validity proof generating step, and 

an output cipher text generating step of generating and disclosing a cipher 
text corresponding to an output of the gate, 

the sequential substitution reencryption process includes: 

a gate secret key cipher text substitution and reencryption step of 
changing an order of a set of the gate secret key cipher texts with one 
substitution randomly selected on the basis of a predetemiined permitted 
substitution method for reencryption, 

an input cipher text substitution and reencryption step of changing an 
order of a set of the input cipher texts with one substitution randomly selected on 
the basis of a predetermined permitted substitution method for reencryption. 

an output cipher text substitution and reencryption step of changing an 
order of a set of the output cipher texts with one substitution randomly selected 
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on the basis of a predetermined permitted substitution method for reencryption. 
and 

a gate secret l<ey cipher text, input cipher text, and output cipher text 
substitution and reencryption validity proof generating and disclosing step of 
generating and disclosing validity proofs for the substitution and reencryption 
performed in the gate secret key cipher text substitution and reencryption step, 
the input cipher text substitution and reencryption step, and the output cipher text 
substitution and reencryption step, 

the partial decryption step of the result output process includes: 
a gate secret key partial decryption step of partially deciphering the gate 
secret key cipher texts by mutually performing communication and calculation by 
the computers, 

an Input cipher text partial decryption step of partially deciphering the input 
cipher texts by mutually performing communication and calculation by the 
computers, 

an output cipher text partial decryption step of partially deciphering the 
output cipher texts by mutually performing communication and calculation by the 
computers, and 

a gate secret key, input cipher text, and output cipher text partial 
decryption step validity proof generating and disclosing step of generating and 
disclosing the validity proofs for the partial decryption performed In the gate 
secret key partial decryption step, the input cipher text partial decryption step, 
and the output cipher text partial decryption step, and 

the calculation method further includes a step of verifying various validity 
proofs disclosed by other computers. 

According to the present invention, there Is provided a calculation system 
for evaluating a function, including: 

a plurality of computers. 
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communication means for performing communication with the plurality of 
computers, 

input process means, 
EIGamal cipher text preparation means, 
sequential substitution reencryption means, and 
result output means, 

characterized in that the input means inputs information on a circuit whose 
output is desired to be obtained, Infomnation on the plurality of computers, and 
information on which part of an input to the circuit each of the computers has. 

the EIGamal cipher text preparation means prepares EIGamal cipher texts 
for generating a set of EIGamal cipher texts corresponding to gates of the circuit 
that realizes the given function, 

the sequential substitution reencryption means includes cipher text 
obtaining means for allowing the computer in this turn to receive the set of 
EIGamal cipher texts from the computer in the previous turn, cipher text 
substitution and reencryption means for changing an order of the set of cipher 
texts received by the cipher text obtaining means for substitution and subjecting 
those cipher texts to reencryption. and means for disclosing the data generated 
by the cipher text substitution and reencryption means to at least the computer in 
the next order, and 

the result output means includes partial decryption means for deciphering 
or partially deciphering a part of the cipher texts generated by the cipher text 
substitution and reencryption means, decryption means for deciphering 

encryption related to itself of a cipher text that enciphers data corresponding to \ 
the input to the circuit in the cipher texts generated by the cipher text substitution 
and reencryption means, and evaluation means for evaluating an output of the 
circuit while using the data deciphered by the decryption means by the plurality 
of computers and the data partially deciphered by the partial decryption means 



16 



by the plurality of computers. 

According to another aspect of the present Invention, there is provided a 
calculation system. Including a plurality of computers, Input means, and output 
means, in which one of the computers firstly performs calculation and transmits 
the calculation result to another computer and the another computer which has 
received the calculation result performs the next calculation such that calculation 
is performed by one computer after another, and when all the computers have 
performed calculatldn once, the last computer which has performed calculation 
transmits the calculation result to the first computer which has perf^ormed 
calculation, and after this, calculation is performed by one computer after another 
and the calculation result is transmitted to the next computer such that the 
calculation of each cycle is repeated, 

characterized in that the input means inputs information on a circuit and a 
part of input bits to the circuit to the computer, 

the calculation of the zero-th cycle is performed before the first computer 
performs the calculation of the first cycle, 

the plurality of computers include data obtaining means for obtaining 
transmitted data used in the calculation of each cycle, validity proof verifying 
means, signature text verifying means, first computer special calculating means 
performed by the first computer, random number generating means for 
perfonnlng random number generation, a main calculation calculating means for 
performing a main calculation, validity proof generating means for proving a 
validity for a calculation performed In the main calculation, signature means, and 
data transmission means, 

the transmitted data includes data transmitted from other computer, data 
main body, a validity proof for the data main body, and a signature text. 

the signature text includes data Including a signature text corresponding to 
a combination of the data transmitted from the other computer, the data main 
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body, and the validity proof for the data main body, 

the validity proof verifying means verifies a validity proof in the transmitted 

data 

the signature text verifying means verifies the signature text in the 
transmitted data. 

the main calculation calculates the random number generated by the 
random number generating means, 

the signature means generates a signature text for a combination of the 
transmitted data, the data main body that Is the calculation result calculated In 
the main calculation, and the validity proof generated by the validity proof 
generating means, and 

the data transmission means transmits a combination of the transmitted 
data, the data main body that is the calculation result calculated in the main 
calculation, the validity proof generated by the validity proof generating means, 
and the signature text generated by the signature means. 

In this case, the following construction may be adopted that a data main 
body of the transmitted data and the data main body that is the calculation result 
calculated in the main calculation include a combination of multiple sequence 
alignment EIGamal cipher texts on a true value group ring and extended multiple 
sequence alignment EIGamal cipher texts on the true value group ring In the 
calculation of the first cycle. 

Furthermore, the following construction may be adopted that the 
calculation of each cycle Includes calculation means for the first cycle and 
calculation means of cycles subsequent to the first cycle. 

the calculation means generates the combination of the multiple sequence 
alignment EIGamal cipher texts on the true value group ring and the extended 
multiple sequence alignment EIGamal cipher texts on the true value group ring 
with the calculation means of the zero-th cycle and includes reencryption public 
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key generating means for generating a public key used for reencryption by the 
calculation means of the first cycle, data conversion means for converting the 
transmitted data, secret key conversion means, and random number conversloj 
means. 

the data conversion means is adapted to convert the combination of the 
cipher texts that are the data main body with another combination of multiple 
sequence alignment EIGamal cipher texts on the true value group ring and 
extended multiple sequence alignment EIGamal cipher texts on the true value 
group ring. 

the secret key conversion means converts the secret key used for the 
combination of the cipher texts that are the calculation result of the data 
conversion means with a secret key corresponding to the public key generated 
by the reencryption public key generating means, 

the calculation result of the secret key conversion means includes a 
combination of multiple sequence alignment EIGamal cipher texts on the true 
value group ring and extended multiple sequence alignment EIGamal cipher 
texts on the true value group ring, 

the random number conversion means is adapted to convert a random 
number used for the combination of the cipher texts that are the calculation 
results of the data conversion means, and 

the calculation result of the random number conversion means includes a 
combination of multiple sequence alignment EIGamal cipher texts on the true 
value group ring and extended multiple sequence alignment EIGamal cipher 
texts on the true value group ring. 

Furthermore, the following construction may be adopted that the 
calculation means of the cycles subsequent to the first cycle includes of the 
calculation means of the second cycles and the calculation means of cycles 
subsequent to the second cycle, 
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the data main body of the transmitted data and the data main body 
calculated in the main calculation include a combination of multiple sequence 
alignment EIGamal cipher texts on the true value group ring and extended 
multiple sequence alignment EIGamal cipher texts on the tme value group ring in 
the second calculation, and 

the calculation means of the second cycles cipher text conversion means 
for converting the data main body of the transmitted data to generate an EIGamal 
cipher text or an ellipse curve EIGamal cipher text and partial decryption means 
for partially deciphering the cipher texts of the data main body of the transmitted 
data. 

Moreover, the calculation means of the cycles subsequent to the second 
cycle only includes the calculation means of the third cycle. 

the calculation means of the third cycle of the main calculation means 
outputs the transmitted data as it is. and 

the validity proof generating means outputs a null string. 

According to the method of calculating the function from the large number 
of Inputs, while the EIGamal enciyption method is used, the devices including the 
means for generating a correspondence table of the gate input and output whose 
values are concealed and the respective inputs subsequently operates so that 
orders of the correspondence tables including the set of the EIGamal cipher texts 
are shuffled as shown in Fig. 5. With the adoption of such a construction, it is 
possible to achieve the object of the present Invention by calculating the output 
of the function with respect to the inputs that are distributed to the respective 
devices. 

Effect of the Invention 

The first effect resides in that the calculation amount of the respective 
devices and the communication amount are remained to be only in proportion to 
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the number of gates of the circuit, which is efficient. 

This is because the correspondence table of the gate input and output Is 
generated with the EIGamal cipher text for each gate, and any random number 
generating device is not used, thereby making it easier to prove the validity for 
the calculation on the correspondence table to the third party. 

The second effect resides in that the number of times for the respective 
calculation devices to perform the communication with another calculation device 
is remained to be a fixed number Irrespective of the number of gates of the 
circuit to be calculated, which is efficient. 

This is because it is necessary to perform the operation for making the 
correspondence relation of the correspondence tables of the input and output of 
the respective gates unknown to all the calculation devices, but this operation is 
realized by the operation of shuffling the correspondence relations in orders by 
the respective calculation devices. 

Brief Description of the Drawings 

Fig. 1 is a flowchart for describing a prior art of Non-patent Document 1 . 

Fig. 2 is a drawing showing a relation between a calculation phase and a 
communication phase in a garbled circuit parallel construction process according 
to the prior art of Non-patent Document 1 in which calculation devices to which 
the same numerals are given are described several times but are the Identical 
devices which operate in a different time, and the time flows from the top to the 
bottom In the drawing. 

Fig. 3 is a flowchart for describing a prior art of Non-patent Document 2. », 
Fig. 4 is a flowchart for describing only one process out of processes 

performed in parallel plural times in a parallel rank determination process in the 

flowchart of Fig. 3 that describes the prior art of Non-patent Document 2. 

Fig. 5 is a block diagram showing a calculation process flow devised to 
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solve the problems of the conventional method by the technology proposed in 
this application. 

Fig. 6 is a flowchart showing a specific example of an operation of a best 
mode for carrying out a first invention. 

Fig. 7 is a flowchart showing a detail of the first half of an EIGamal cipher 
text preparation process in the specific example of the operation according to the 
best mode for carrying out the first invention. 

Fig. 8 is a flowchart showing a detail of the latter half of the EIGamal 
cipher text preparation process in the specific example of the operation 
according to the best mode for canying out the first invention. 

Fig. 9 is a flowchart showing a detail of the first half of a sequential 
substitution reencryption process in the specific example of the operation 
according to the best mode for carrying out the first invention in which processes 
of the flowchart shown in a balloon on the right hand side. 

Fig. 10 is a flowchart showing a detail of a result output process In the 
specific example of the operation according to the best mode for carrying out the 
first invention. 

Fig. 11 is a blocl< diagram showing a construction in the specific example 
of the operation according to the best mode for carrying out the first invention. 

Fig. 12 is a block diagram showing a construction of the calculation device 
constituting the best mode for carrying out the first invention. 

Fig. 13 is a flowchart showing a detail of an input process in the specific 
example of the operation according to the best mode for carrying out the first 
invention. 

Fig. 14 is a blocl< diagram showing a relation among devices accorcling to 
a second invention. 

Fig. 1 5 is a flowchart for calculation performed by the respective 
calculation devices of each cycle from first to third cycles according to the 
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second invention. 



Fig. 16 shows a data flow according to the second invention. 
Fig. 17 IS a flowchart for nnain calculation of the first cycle. 
Fig. 18 is a flowchart for main calculation of the second cycle. 



Fig. 19 is a drawing for facilitating understanding of data that is calculated 
with respect to each gate in the prior art. 

Best Mode for Carrying Out the Invention 

Next, embodiments of the present invention will be described with 
reference to the drawings. 

First Embodiment 

A first embodiment of the present invention will be described with 
reference to Figs. 6 to 13. 
[Preparation] 
[System configuration] 

As shown in Fig. 11, A calculation devices 308 respectively include 
communication means 307. Hereinafter, the calculation devices are called as 
follows In turn. 



character a which corresponds to the respective calculation devices, and the like 
are referred to as system configuration information. 



In a description described later, circuit information is input to the respective 
calculation devices expressed as follows. 




The number of the calculation devices, a relation with a subscript 



[Circuit information] 
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This circuit information will be described. 

First, a circuit expressed by input circuit information is denoted by f. Tiie 
circuit f is a circuit including m logical gates. The respective gates are referred to 

3S Gi Gi.....Gm. Herein, the respective gates have 2 inputs and 1 output. If 

the circuit is not formed by such gates, the respective gates are replaced by an 
equivalent circuit including a plurality of 2-input 1 -output gates. This replacement 
method is already known, so the description will be omitted. A wiring for 
transmitting a signal from one gate of the circuit to an input of another gate 
transmits a signal which conresponds to 0 or 1. An output wiring of G fkj is 
denoted by w (kj . The number of wirings to be input to the circuit f is set as n. 

and this is set as {w } « = m+i m+n- The wiring may be blanched in a midway to 

be input to two or more gates. The wiring Ck3 is adapted to transmit the same 
signal even in the case of blanching, and the blanched wirings are collectively 

refen-ed to as w (kj • Symbols w w ,|) denote outputs of the circuit f. All of 

the wirings of the circuit are either a gate output wiring or a circuit input wiring. 
Thus, the wirings {w (kj } k-i.....tn*n are all the wirings. 

When the outputs of the gates Gi and Gj are input to the gate Gk, that is, 
when the wirings w (ij and w jj, are input to the gate Gk, and the wiring wk is 
connected as the wiring for the output of Gk. a relation among the output b Tij 
of the gate Gi. the output b FjJ of the gate Gj, and the output b Tkj of the gate 
Gk, is set as follows. 

t>rkj=brjj@G Tkjbrjj 

Then, the calculation device u^°^ has a part of the signal to be input to the 
circuit f. The calculation device knows the signal propagated to a part of the \ 
wirings {w (kj } 

When the number of bits to be input to the circuit f by the calculation 
device u<°^ is Iq , and the inputs of the all the calculation devices are gathered, 
the Inputs constitute all the Inputs to the circuit. That is, the following expression 
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is obtained. 

With regard to k = m+1, .... m+n. bits that are input to the respective 
wirings w are set as b Tkj and the respective bits are allocated by Iq each 

for the calculation device u^^^ . In other words, the calculation device u^°^ 
determines the set described below. 

kkj e {0.l})k = m + Ip=i°""'' lp+ 1 m + Zp=i°lp 

Even when the allocation of the circuit numbers is changed, the circuit is 
not changed fundamentally. Therefore, even when the inputs are allocated in the 
above-mentioned manner, the generality is not impaired. 

The m gates Gi Gm. the calculation ®G[k] performed at the 

respective gates, the wirings {w } k^m^^i m+n connected to the respective 

gates, and the allocation of the input wirings {la}a=, .... A ^'th respect to the 
calculation devices are referred to as circuit information 300. 

[Group used for the calculation] 

In this embodiment, the calculation on an ellipse curve is utilized, so this 
group will be described. However, the group is not necessarily essential for 
carrying out the present invention. As a substitution of this group, a commutative 
multiplicative group such as a calculation on a prime field may be used. 

Hereinafter, reference symbol E denotes an ellipse curve whose order is a 
prime factor q. reference symbol E denotes O an infinite distance of the ellipse 
curve E, and reference symbol G(;^0) denotes a point on the ellipse curve E. 
The prime factor q is set sufficiently large to be cryptologically secure. A i 
mapping from the point of the ellipse curve E onto Z/qZ Is expressed by <p. The 
mapping cp whose Image space is sufficiently large is selected. As an example of 
the mapping <p, one of the values of the coordinate on the ellipse curve E Is used, 
or the like. When reference symbol h denotes a member and reference symbol 
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G denotes a point on the ellipse curve E. a point multiplied by h is expressed as 
[h]G 

[Notation] 

A character written on a right shoulder is a superscript but the character is 
not an order representing a power. In addition, □ represents an exclusive OR of 
the bit. 

[Input processes 203. 312] 

When the process is started, as shown in Fig. 6, first of all. an input 
process 203 is performed. The input process 203 will be described with 
reference to Figs. 12 and 13 which show the detail of the process. 

In an EIGamal cipher text preparation process, by using information public 
means and public Information obtaining means, disclosure and obtainment of 
data are both performed (309). 

[Determination of area variables] 

The calculation determines E. G, and <p. In addition, a method of using a 
hash function or the like determines a point H on the ellipse curve which no one 
can find out the original Z/qZ of in which H=[h]G is satisfied. These values E. H» 
G, and (p are referred to area variables 301. These values are all stored in the 
calculation device in advance (Step 100 of Fig, 13). 

[Input of circuit information and circuit part input] 

Information of the circuit f and system configuration information are input 
to ail of the calculation devices (Step 101 of Fig. 13). 

To the respective calculation devices \ . the following partial 

input dispersed to the circuit is input (Step 102 of Fig. 13). 
{bfkj ^ M) k = m + Ip=i°^l lp+ 1. m + Ip^^l^'lp 
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[EtGamal cipher text preparation processes 200, 203] 

[Setting of secret key and public key for each gate] 

Next, as shown In Fig. 6, an EIGamal cipher text preparation process 200 
is performed. The EIGamal cipher text preparation process 200 will be described 
with reference to Figs, 7 and 8 which show the detail of the process. 

The respective calculation devices u<°) uniquely and randomly generate 

gate secret keys described below for all k=1 m+n and ail b e {0.1} (Step 103 of 

Fig. 7). 

X^^^'^CkDeRE 
2^°) eR Z/qZ 

The respective calculation devices u^°> generate the following data for all 
k=1,...,m+n and all b € {0.1} . 

x(a)b|;k)=<j)(x(a)bck]) 

Then, the respective calculation devices u^°^ generate gate public keys 
for all k=1 m+n and all b e {0. 1} (Step 1 04 of Fig. 7). 

Y<*='>^Ck]=[x(°)bck}]G 
z(a)=[z(a)]G 

After that, the respective calculation devices Uq use Information public 
devices to make public the gate public keys generated by themselves (Step 106 
of Fig. 7). Hereinafter, in the first embodiment, to make public means that the 
information public device is used to make something public. 

In addition, with respect to each Y(°)''ck].Z^°'). while following a method A 
described separately, the respective calculation devices Uq generate the proof of 
having knowledge of x^^^'^CkD.z^"^ as the validity proof for the gate public key 
(Step 106 of Fig. 7) and make the proof public (Step 107 of Fig. 7), 
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[Setting of input public key] 

The respective calculation devices Uq generate input gate secret keys for 
all of the below. 

k = m + 1 + Zp=::1 ^'"''ip nri + Zp^i ^|p 

The respective calculation devices Uq use the input b Tkj e {0,1 } to 
uniquely and randomly generate input gate secret keys described below (Step 
108 of Fig. 7). 

'"'^JCkD^RZ/qZ 

The respective calculation devices Uq generate input gate public keys 
described below (Step 109 of Fig. 7). 

With respect to all k = m + 1 + Z p=i I j3 m + Z p^-j °lp and all 

b g {0,1 }, the respective calculation devices Uq make Y~'^(;k] as the input gate 
public key of the calculation devices (Step 110 of Fig. 7). 

In addition, regarding each k, while following a method B described 
separately, the respective calculation devices uq generate the proof of having 
knowledge described below with respect to b Fkj =Oorb Tkj =1 as the validity 
proof for the Input gate public key (Step 111 of Fig. 7) and make the proof public 
(Step 112 of Fig. 7). 

[Processing related to gate] 

All the calculation devices (uq } use the public infonriation obtaining 
means to obtain the gate public key expresses as follows (Step 113 of Fig. 8). 
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With respect to all k=1 m and all b e {0.1} . the calculation devices {uq } 

integrate the gate public key as expressed below by themselves (Step 114 of Fig. 
8). 

With respect to all k=1 m and all b e {0.1} , all the calculation devices 

l"a } uniquely and randomly generate the following data. 
r(«^)^k epZ/qZ 

Then, with respect to all k=1 m and all b.c.e e {o,1 } k=1. encryption is 

performed through the ellipse EIGamal encryption method, thereby generating a 
cipher text of the gate secret key described below (Step 11 5 of Fig. 8) and 
making the text public (Step 116 of Fig. 8). 

It should be noted that the wirings w [i] and w Cj} are input to the gate 
G [k] . 

In addition, the proof in that the decryption results of the ellipse EIGamal 
cipher texts (c(a)bcO^^j p(a)bcOj.^jj ^j^^ ^^^p^^^ g„ ^ b.c e {O.l } are 

identical to each other and the decryption results of the ellipse EIGamal cipher 
texts (C(°)*»<=\k].D<o)''«^''ck3) with respect to all k and all b.c e {o.l } are 
identical to each other is generated as the validity proof for the gate secret key 
cipher texts by using a method C described separately (Step 117 of Fig. 8) and 
the proof is made public (Step 118 of Fig. 8). 

With respect to all k=1,...,m and all b,c,p.v,^ e {0,1}. all the calculation 
devices (uq, ) generate secret key Identification data cipher texts described 
below by themselves (Step 119 of Fig. 8). 
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wherein £ = ((b Dp)® e rkj(^nv))D^. 
[Processing related to input wiring] 

With respect to all k=m+1,...,m+n and all e e {0.1} , all the calculation 
devices {uq j uniquely and randomly generate the following data. 

r^(«)^keRZ/qZ 

Then, with respect to all k=nn+1 .....m+n and all b, £ e {0,1} . all the 
calculation devices [uq j use the ellipse EIGamal encryption method to generate 
input cipher texts described below (Step 120 of Fig. 8) and make the texts public 
(Step 121 of Fig. 8). 

(c(a)bcej;k3.D(a)bcej;k3) « ([r-(a)^CkD]G. x(«)^CW + [r^<*^>^CkDl(Y-t^CkD + Z)) 
In addition, the proof in that the decryption results of the ellipse EIGamal 

cipher texts (C^^^'^^^Ck^.D^^^'^^Ck]) with respect to all k and all b e {0.1} are 
identical to each other and the decryption results of the ellipse EIGamal cipher 
texts (c(^)'^''ck].D<°)'^\kD) with respect to all k and all b g {0,1} are identical to 
each other is generated as the validity proof for the gate secret key cipher texts 
by using a method D described separately (Step 122 of Fig. 8) and the proof is 
made public (Step 123 of Fig. 8). 

With respect to all k=m+1 m+n and all b.5 e {0,1}, all the calculation 

devices |uq | generate input secret key identification data cipher texts described 

below (Step 124 of Fig. 8). i j 

wherein e = bD5 
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[Process related to output wiring] 

With respect to all the wirings k=1 1 and all b. g g {0.1} , all the calculation 

devices {uq ) generate output cipher texts described below (Step 125 of Fig. 8). 

(At(0)b ^ .B'^^°^'*Ck] 5 *=«^ (O-t e ]G ) 

wherein e = bD^ 

[Sequential substitution reencryption process 201 --^ substitution and 
reencryption of gate cipher texts] 

Next, a sequential substitution reencryption process 201 is performed as 
shown in Fig. 6. The sequential substitution reencryption process 201 will be 
described with reference to Figs. 9 and 12 which show the detail of the process. 

With respect to a=1,...,A, the calculation devices perform the following 
process (denoted by reference numeral 304 of Fig. 12) in turn (Step 126 of Fig. 
9). In this process, first of all, the respective calculation devices use the public 
information obtaining means to obtain necessary data (denoted by reference 
numeral 310 of Fig. 12) Next, the generated data is made public by using the 
information public means (denoted by reference numeral 311 of Fig. 12). The 
order of the A calculation devices is determined. In order that each of the 
calculation devices obtains the data, all of the other calculation devices in earlier 
turn before the calculation device need to finish the data disclosure. 

[Cipher text obtaining process] 

The following are obtained in Step 151 of Fig. 9. 

A^^'-^bCckD M.v.?.B(°-'')bCck3 M.v.5.c(°-1)P''<=CkD M.v.^D(°-1)Pbc^,5 
with respect to k=1 m, all p=1 A, and all b.c.ij.v.? e {0.1}. 

A(°-'')bck3 ?.B(°-'')bck3 ^.c(°--«)Pbck] ^D(°--')Pb(.k3 ^ with respect to all 
k=m+1 m+n. all 3=1 A. and all b.5 s {0.1} , and 
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At(a 1)b(.^^ ^ 3t(a 1)bj.^j ^ respect to all k=1.....|, and all b.§ e {0.1}. 

[Wiring signal value and substitution generation] 
The calculation devices u., uniquely and randomly generate substitutions 
{Tr(k) €R {0.1)}k_i m+n °f the signal values of the respective wirings (Step 

127 of Fig. 9). 

[Random number generation for reencryption] 
The calculation devices Ua uniquely and randomly generate random 
numbers described below v»/hlch are used for gate secret key reencryption (Step 

128 of Fig. 9). 

{s( a)bc^^^^^^ ,.„.m:b.c. . v . ^ e R {o, l > 

**^°'^^^''Ck:iX/.i/.^^k=1_.m;i3=l.....)3;b.c./^. v. 4 gR(0.1)' 
IsCa )bf ^-j ^ ^ eRtO.1}- 

{t( Of ) ^ b ^ ^ 'k=m+1 .^.m+n: 0 =1 ..... A :b. ^ e r {o.i> 

f''"*^Ck3^lk=1,„.l:b.^ eR{o.l} 

[Substitution and reencryption of gate secret key cipher texts] 

With respect to all k=1 m and all b.c.M.v.5 s {0.1}. the following data is 

generated by substituting the gate secret key for reencryption (Step 129 of Fig. 

9). 
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Ck) A* □ (i). V □ ;r (i).^ □ n(\0* 



Ckl A/ □ ttQ. vDnQXin niiO 



[Substitution and reencryption of Input cipher texts] 

With respect to all k=m+1 ,....m+n. all p^l A. and all b,^ e {0.1} . the 

following data is generated by substituting the input cipher texts for reencryption 

(Step 130 of Fig. 9). 



[Substitution and reencryption of output cipher texts] 

With respect to all k=1 1 and all b,^ e {0,1} , the following data is 

generated by substituting the output cipher texts for reencryption (Step 131 of Fig, 



AT(a)b^j^ ^= At(«-l)b^^^ ^ Q [stbj.^^ 
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[Validity proof for substitution and reencryptlon] 

{A<°)'^'^CkJ M.v.^B(«)t>0fk3 M.v.^c(°)PbCfk] M.v.?.DWbc^k] m.v.O 
with respect to all l<=1....,m. all p=1 A. and all b.c.|j,v.^ g {0.1}. 

{a(°)'=»C1c3 5.B(«)bck) 5.c(«)Pb^k3 §.D(°)Pbck3 ^} with respect to all 

k=m+1,..„m+n. all p=1 A. and all b.§ e {0,1}, and A''"^°)'^Ck] 5.B'''^°)''Ck] ^ 

With respect to all k=1 1 and all b.5 e {0.1} are transmitted to the calculation 

device Uq^i. 

In addition, the proof in that the above-mentioned process is appropriately 
performed is generated as the validity proof for the substitution and the 
reencryption regarding the gate secret key cipher texts, the input cipher texts, 
and the output cipher texts in accordance with a method E described separately 
and the proof is made public (Step 132 of Fig. 9). 

[Result output processes 202, 305] 

Next, as shown in Fig. 6, a result output process 202 is performed. The 
process will be described with reference to Figs. 10 to 12 which show the detail 
of the process. 

In the result output process 202. the information public means and public 
information obtaining means are used to perform both the disclosure and 
obtainment of the data (Step 312 of Fig. 12). Finally, the outputs of their own 
circuits are output (denoted by reference numeral 313 of Fig. 12). i| 

[Partial decryption of gate cipher texts] 

All the calculation devices {ua}a=1 A partially decipher the gate secret 

key as described below with respect to all k = 1 . .... m,b,c e {0,1}, ^ = t .... A and 
make the result public (Step 134 of Fig. 10). 
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A*<^)°'"=Ck3000 =[2<°)]AW«Ck]000 

All the calculation devices {Ua}a=l. .... A partially decipher the input cipher 

texts as described below with respect to all . k = m + 1 m + n, b e {0.1}. p = i a 

and make the result public (Step 135 of Fig. 10). 

A*<^)«^CW0=[2(->]A<^^kD0 

All the calculation devices {Ua}a=1 A partially decipher the output cipher 

texts as described below with respect to all k = 1....,l,b e {0.1} and make the 
result public (Step 136 of Fig. 10). 

At+(A)ab^^3Q = [z(°>]At(A)b^k30 

In addition, the proof in that the above-mentioned process is appropriately 
performed is generated as the validity proof for the partial decryption regarding 
the gate secret key cipher texts, the Input cipher texts, and the output cipher 
texts in accordance with a method F described separately and the proof is made 
public (Step 1 37 of Fig. 1 0). 

[Gate cipher text generation] 

Furthermore, all the calculation devices generate the following data as the 

gate cipher texts with respect to all k=1 m, all a=1,....A. and all b.c.e {0.1}. 

A^k] « A(^)'^'^Ck3000 

B«''=Ck] = B{^)»'<^Ck]000 -Za=1^A*(^)abCfk3oOO 
Ccbcck]=c(^)«bc^k3000 

D°bc^k] » D(^)«bCf k:,ooo - Ia=1^C+(^)°'Pbc^^-,j,QQ 
All the calculation devices generate the following data as the gate cipher 
texts with respect to alt k=m+1 ,...,m+n. all a=1 A. and all b e {0.1} . 
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Then, all the calculation devices generate the following data as the gate 
cipher texts with respect to all k=1 1 and all b e {0,1} (Step 138 of Fig. 10). 

[Decryption of inputs] 

The calculation devices u^°^ generate the following data with respect to all 

•k = m + 1 + Zy=i°~^lY m + lysi^ly and all p=1 A without disclosing b Tkj 

and make the data public (Step 139 of Fig. 10). 

X b (^)c,,;, =D^brkj^^3 _tx-brkjj.^^]c^brkjj,^^ 
xb(^)j,3=0(xb(^)t,;,) 

The data made public is referred to as data deciphered from the input \ 
cipher texts. 

All calculation devices Uq checks the following data with respect to all 
k=m+1 ,...,m+n and all p=1 .....A to check the validity of the input cipher text 
decryption (Step 140 of Fig. 10). 
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Y<P)^ Hk)=lxKP)ck)lG 

wherein if g\w} = 0. €k = 0.. and if G''Ck:)=G. = 1 . 
[Circuit evaluation] 

With respect to all the gates Gkk=i m. all the calculation devices Uq find 

out outputs on the basis of the inputs in an appropriate order in the following 
manner (Step 141 of Fig. 10). This is the process for the circuit evaluation. It 
should be noted that outputs of the gates Gj and Gj are input to the gate Gr. 

The following data is obtained with respect to p=1 A (Step 142 of Fig. 

10). 

G b Ck3=B'''"'JbriJ^^- 11 A(x(r)brjjj.^^ +x(r)brjj|.|^^)] Abnjbrjjj.|^ 

With respect to all p=1 A. Y^P)^ = [x''<P>Ck]lG is checked (Step 

143 of Fig. 10). It should be noted that If G''CkD = 0. Ek = 0,. and if G''Ck3=G. 
£k=1. 

With respect to k to which the above-mentioned process is performed, b 
Tkj = Ek is set. 

[Output evaluation] 

The proofs made public up to this process are verified by a verifier (Step 

144 of Fig. 10). If the verifier accepts all the proof texts, in other words, if no 
violations are found, the following process for the output deciphering and 
disclosure is performed. 

With respect to k=1 1, all the calculation devices Uq obtain the following 

data (Step 145 of Fig. 1 0). 
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With respect to k=1 1, all the calculation devices {Ua}a=1, .... A generate 

the following data (Step 146 of Fig. 10). 

Then, the data Is made public (Step 147 of Fig. 10). 

In addition, the validity proof for this calculation is generated as the validity 
proof for the output deciphering in accordance with a method G described 
separately (Step 148 of Fig. 10) and the validity proof is made public (Step 149 of 
Fig. 10). 

The respective calculation devices Ug find out a circuit output (denoted by 
reference numeral 306 of Fig. 11) on the basis of the following data (Step 160 of 
Fig. 10). 

G^Ck] = G^'ck) - ly^ A">"*CkD 

With respect to k=1 1, if G-'^CkD = 0 . b Tkj =0. and If G-'^CkD = G . b 

fkj =1. 

[Separately described processes! 

[Separate description A] 

With respect to ail k=1 m+n and b e {0.1} , the certifier (calculator) Uq 

uniquely and randomly generate the following data. 

x'^°%DeRZ\qZ 

z'(a)Ck)eRZ\qZ 

Y'(a)''Ck3 6[x't°)»'[k3lG 
2.(a)^j2.(a) jQ 

Further, the following data is generated. 
B = Ha6h(E.G.(Y<«)»>CKDJk=1...m*ri*=0.1. 2^"^. lY^^^'^nO^k^l m+n:b=O.V -"^d q 

Then, with respect to all k=1 m+n and b e {0,1} , the following data is 

generated. 
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z"(ar)= 0 Of) + Of) 

The certifier sets the following data as. the proof with respect to all 
k=1 m+n and b e {0,1} . 

The verification method for the above-mentioned proof is as follows. The 
verifier calculates the first expression to check the second and third expressions 
described below. 

e = Hash (EAM«)bc,3l,=,, zCar). z<«) ) .od . 

b"CQf)]G= e z(a)+Z<Qf) 
[Separate description B] 

Each certifier (calculator) u^°) uniquely and randomly generates the 

following data with respect to all k = m + 1 + 1 p^, 1 p m + Z p»i 

selected b Tkj s {0.1}. 

x~'b ""kJck^GRZ/qZ 

Then, the following data Is generated, 

Y-'^ '''^-'Ck3=rx"'' ""Hk^lG 

Moreover, the following data is randomly generated. 

0brkjnij.|^^ epZ/qZ 
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After that, the following data Is randomly generated. 

The certifier Uq generates the following data with respect to all 
k = m + 1 + Zp=-i°'-''|p m + Zp=i °lp. 

) mod a 

Furthermore the following data is generated. 

The certifier Uq sets the following data as the proof with respect to all 

k = m + 1 + Z p=i I p nri + Z p=i °lp, b = 0,1. 

Y'-'^Ck3.eOckD.x~"'^CkD 

The verification method for the above-mentioned proof is as follows. 

With respect to all k = m + 1 + Z p=,i I p m + Z p=i °lp, b = 0,1 . the 

verifier generates the following data. 
e = Hash(E.G. tY-b^^^, y-bj-^^ J^^^) n,od q 

With respect to all 
k=nn+l+Z ^^^af-ll^,_nn+Z ^^^oi i^.b=0,1 
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it is checl<ed whether the following expressions are established. 
[Separate description C] 

The certifier (calculator) u, uniquely and randomly generates the following 
data with respect to all k=1,...,m and all £=0.1. 
r'<°)^°Ck3eZ/qZ 

Then, the following data is generated. 
F(a)eQj.^^ = [,.(af)eOj.j^^]G 

F( or) £ 2j.^3 = Cr'( or) £ 2^^^H Yl -y0^3) 

Furthermore, the following data is generated. 
e(a)^^y = Hash (E.G. ( c(cr)bo e D(«)bc S )^^^_^^^ ^^^ ^, ( F(«)eo^^^. 

Next, the following data is generated. 

r<CtU = e<ar)^^j ^a)e +r<a)e mod q 

The certifier sets the following data as the proof for k=1.....m and £=0,1. 

f(«)£0^|^j. F(or)Elj^. F<a)£2j^3. ^(ar)£ 

The verification method for the above-mentioned proof is as follows. 
The verifier first checks whether the ct^^'^^^fk] are the same value with 
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respect to each of £=0.1 and k=1 m for all b.c=0,1 . 

Next, the following data is generated. 

CkJ- Ck> '1<=1 ..-.m; e =0,1 J 

Next, it is checked whether or not the following expressions are 
established with respect to all k=1 m and e=0.1. 

Lr'<ct) ^ck]HYlcQ-YO^j3)=ce(af)^^3] (D(«)10 ^ -D(ar)ooe ^^j).,F(«)e 
[Separate description D] 

With respect to all k=m+1,....m+n and all b,£=0,1. the certifier (calculator) 

ua uniquely and randomly generates r'(°)^i:k] eZ/qZ . Then, the following data 
is generated. 

Furthermore, with respect to all k=m+1 m+n, the following data is 

generated. 

"•■^ LkJ' CkJ'"^ CkJ 'k=m+1,...,m+n:b.£=0J ^ 

Next, with respect to all k=m+1 m+n and all b.e=0.1, the following data is 

generated. 



42 



The certifier sete the following data as the proof with respect to 
k=m+1,...,m+n and e=0,1. 

The verification method for the above-mentioned proof is as follows. First 
of all, the verifier checks whether or not the values of C^*^*^ck) are the same with 
respect to each of e=0.1 and k=1 m for all b=0,1 

Next, the following data Is generated. 

fl««)CO, = H~h (E.a ( 0(a)l.^ ft). D«.» = c„, F«.).. ^ Wl_».*rt.^=0.1 > 

Then, it is checl<ed whether or not the following expressions are 

established with respect to all k=m+1 m+n and all e=0,1 . 

) £ ^^^]G = t e ( a C( ff )0 e f ^ + F< a ) «r 0 J 

[Separate description E] 

With respect to a=1 A, the calculator performs the following process 

in turn. 

The calculator u„ performs uniquely and randomly selects the following 
data from Z/qZ. 

f<^^^-'^'"^Ck]AI.V.^-^^^~'^^'''=Ck]Ai.v.^)k.l m:i8=l...,A:h=2/3.1/ 

3.0:b.c,;/.v.^ 6{o,il 

wherein 

2^h=o.i/3.2/3 ^^''-'^^'''=Ck3;/.v.^ = t(«)^bc^^j^^^^^ 



43 



The calculator u„ generates the following data with respect to all k=1 m. 

and all b,c,M.v,^6{0,i}. 



A(a-2/3)bc 



'"'ClO/i.v.^lCYbfjj+Yc^j+z) 

A(orH/3)bc^^3^^^=A<«-^./3)bc^^^^^j^^^^,t^(^.,^^^^^ 
cC«-l/3)^ ''-CkDxi.v.f =c(«-2/3)^ "•^^,..^□^0).^ •^r(«-1/3);8 

A^«>^''Ck3^.v.f=A<«-V3)bc^,3^^j3^^j^,[^(a)bc^^^^_^^3^ 
^^''^^''''Ck)//.a..£=c(«-i/3)^ ""CkD^.vD^rCD.f *[-<«>^''«^Ck]/..v.^]G 

Next, the calculator u„ uniquely and randomly selects the following data 

fron^ Z/qZ with respect to all k=1 m. all p=1. all h=2/3,1/3.0, and all 

b,c.|Li,v,^G{0,l}. 
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Next, the calculator u„ generates the following data with respect to all 
k=1 m, all p=1, and all b,c,n.v.^s{0,l}. 

D.(«-1/3)^ bcj^^^,j^^ ^=D(«-2/3)^ "^'CIO^.VD^CD.^ -Cr<«-1/3)^ 

A<''^''Ck)7cOO/i.v.^=A(«-1/3)bef^^^n„^,^*ta<ot)bc^^-,^^^]G 

B<«*«'tk3;t(k)^.v.^=Bt«-i/3)bc^KD;,.;.P;rOU* 
[a'Car)bOf^3^^^3CYbfj34.Y<»f,3+z) 

^•^'*^^''^Ck);r(k)/i.v.^ =C<«-i/3)/S ''OckD;ti..n^0).^-C-<«)^''«'CkD//.v.^]Ca 

Furthermore, with respect to all k=m+1 m+n, all p=1,...,A. and all 

b.4 6 {0,1} , s''°'\kH ,t•"''^k]4 is uniquely and randomly selected from Z/qZ. 

With respect to all k=m+1 m+n and all b,^ e {0,1} . the following data is 

generated. 
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D'^"^^'*Ck3;r(k)^=«>^«-^>^'>Ck3^a;r(k)-&'^''>^''Ckl^](Y-t'c^^^^^ 

Then, the following data is uniquely and randomly selected from Z/qZ with 
respect to all k=1 ,...,1 and all b,? e {0,1} , 

With respect to all k=1 .....1 and all b.^ e {o,lJ , the following data is 
generated. 

With respect to all k=1 m and all h=2/3,1/3.0. the following data is 

uniquely and randomly selected from Z/qZ. 

With respect to all k=1 m. all p=1 A. and all b.c./i .y,$&lOA) , the 

following data is uniquely and randomly selected from Z/qZ. 

c.<a-2/3)bo^^3 ;r(i)ai.//.v.^. a-<Qr-1/3)be^^ ;rO>Ol.,i.v.^ • ^'<«^'«^Ck3 
;rO>ni./u.v.^' r'<0')^bc^^ jc{iOn\,u.v 

Next, with respect to all k=m+1 m+n. all p=1 A, and all b,^ 6 (o.i) 
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the following data is uniquely and randomly selected from Z/qZ. 

Next. With respect to all k=1 1 and al) b.^e(o.i) , the following data is 

uniquely and randomly selected from Z/qZ. 

Next, with respect to all k=1 m, ail [3=1 A. and all 

h.o./i.v.^ e (0,1) , the following data is generated. 
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V3)bc^^^ ;f.V.^n,t(k) 

Ce(«5ck3;r(k)Di]Bf«-V3)bcj;0 //.v.^n^(k) 
0(a-l/3)/»bc^^^^j^^^^ 

D'(«)^bc^^ ^OOOI./l.!*.^ =[r'<«)^bc^^3 ^ooni./i../.^3(YbcQ+Yc^3+z)- 
Ce<«5ck3;r(k)DllD<''-^'^>^ '"'Ck) A.v.^P;r(k) 

Next, with respect to all k=m+1 m+n, all 3=1.... ,A. and all b.^ e (o.iJ . 

the following data Is generated. 
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A^'^^IO ^(i)01.^= f^«-l*DO 7r(OD1.^3G-[fl(a)j^3^QjQ^3A(or-i)b 
£ DttO) 



Next, with respect to all k=«1 1 and all b. ^ e (o.i J . the following data 

is generated. 

B^-^^^^^Ck) 7r(DDl.^=t«'^"<«-'V3 .r(i)Di.^]CYbj^]*2)-Ce(fl')ck3^(jjn^]Bt(a- 
Next, the following data Is generated. 
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S = (E.G. 
( 

k=l.„.mdiP2/3.l/3.0:/5si^^A: b.o./^.v .^.^ e{0.1> 
{ 

AC or)bj.^3 ^ . B(a)b^,3 ^ . C(«)^ b^^ ^ . D( a)^ b^^ ^ . 

•k=m+l...,m+n;^=1^,A ;b.^ elO.ll ) 
( 

At(Qr)bc,3^.BtCor)b^^^ 

A+<'^^kD^^.B-W«^kD^.^ 
•k=l.>..l:b,^.ee{0.1}l 

Next, each verifier ua generates the foilowing data with respect to all 
k=1,...,m+n. 

5^«\k5 = Hash(E.GX S) 

Next, with respect to all k=1 m+n, the following data is generated. 

Next, with respect to all k=1,...,m, ail p=1.... ,A. all h=2/3.1/3.0. and all 
b,c, jU , 1/ , ^ e {0,1 } .the following data is generated. 
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Next, with respect to all k=m+1 m+n, all p=1 A. and all b.i e (o.lJ . 

the following data Is generated. 

^"^^^''^WTrO)^ =^^^>Ck37r(0*^°'-^^^'*Ck]^ •^^■^^-'^^CkDf -o'^q 

Next, with respect to all k= 1 1 and b. ^ e {0,1 ) . the following data is 

generated. 



st"(a)b 



Finally, the following data is set as proofs. 



^^•^"'^kJ^.^. ^•<''>^'>Ck3f,^. 
with respect to all k=1 m:h=2/3.1 /3,0; jff =1 A :b.c. ti.v.$,^G {O.i } . 



51 



with respect to all k=m+1 ^_,m+n; ^ =1 ,~, A J), ^ , f s{0,1) . 

with respect to all k=1„.li>,f ,^ e{0.1J. 

With respect to all Rsl .^,m+n . 

The verification method for the above-mentioned proof is as follows. 
The verifier generates the following data. 
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[ 

lksK...m:h=2/3.1/3.0:^=1.„.A:b.e.;/.t/.e.e: el0.1> 
{ 

A<«^^CkK.^'S^"V}f.^c<«)^b^^-,^^.D'(«)^b^^3^^ 
•h<=in+l.....m+n:5=l„_.A:b.^ .f e(o,iil 

c 

•k=l.-..l;b,^.4:el0.1)' 

Each verifier ua generates the following data with respect to all k=1 m+n. 

e(^)(;^ = Hash(E,G.k.S) 

It is checked whether or not the following expression is established with 
respect to all ks1,...,m. 

Next, with respect to 

k=1 ....,m;h=2/3,1/3,0;iS =1 A ;b,c, , v . | . f e lO.l] . the 
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verifier checks whether the following expressions are established. 

B^«-^)''»clO;l□^v.^)-B<«-2/3)bc^k34r./i...^ 

[T"(a-2/3)^ *"'CkK.^.v.#l<^ra*'^a3*z) = C0<«)ckU] CD(a-2/3)fl 

I<r-{flr-i/3)boj^^^^ ^3G = [e(«)c^3^](A(a-l/3)bcj,;,^ „^^-aC«-2/ 
'^"^CkD ;/ □ ^ . ^ ) -aK ar.1/3)bo^^3 ^ ^ ^ ^ 

[<rKaH/3)b«f^^^^^](Yb^,3,YCQ3*z) = [e(ff)^^3^](B(a-2/3)bcj^^ ^ ^. 
B(«-2/3)b.j^^^^^^5_B.(a-1/3)bc^^^^^^ 

tr-(ar-1/3)^ boj^^ ^ ^^]G = [0(«)^^j^3(c(a-l/3)/» bc^^^^ ^ ^- c(af-2/3)i8 

»»-Ck3;/ne.v.^)-c<«-»/«>^ '"'Ck3f.^.,..^ 

[r-(a-1/3)^ »'^Ck3^./i.l/.^3 (Ybfo-^Yc^j+Z) = i:e{«)c,j^] (DCor-1/3)/J 
•^CkJi/.i^.^-Df^-^/s)^ '"'Ck]^Df.v.^)-I><«-'/«^ '•"CkDe.ii.v.^ 
tor'(«)bCf^^^^^]Q = te(or)j^3^]tA(Qr)bc^^^^^^.A(a-1/ 
^^'"^CkJ/iO^.l/.^J-A^-'^bc^Kj^.^i.v.^ 

[a"(a)bc^y^^^^](yb^.^YOg3*z) = C0(«)c^3^](B(a-i/3)be^^3^ ^ ^-bC«-2/ 
^^*^(kD/iDf.y.^)-B<«*''Ck]f.ii.v.^ 

CrKoDflbcj^^ ^^^]C = [0(a)^^^3(c(a)^bC(.^^^ ^.c(a-1/3)^ 
'>'»Ck3;in^.v.^)^<«>^*"=CkK.;i.v.^ 

[T..(«)^bc^^3^^^^j(Yb^.3^Yo^34.z) = [0(flr)c^3^]CD(flf)^bc^^3^ ^ ^-d(o-i/ 
^^^'«=Ck3//De..^.^5-t><*'^'''"'CkD^.|/.u.f 
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Next, with respect to k=m+1 m+n; B =1 A :b. ^ , ^ s {0,1 ) , 

the verifier checks whether or not the foilowing expressions are 
established. 

^^"^''^''ClOf .^3 C^CI0*2) = Cfl(«)ciOc3 B(«-i\,,3^ P^) - 

[t<a)^bj^^^](Y-b^^3+Z) = [0(«)tkD^3CD(^>^»'j^^-D(«-l>/»b^k3^nf>- 

Next, with respect to k=1 J;b, ^ , 4r ^ lO.ll . the verifier checks 
whether or not the following expressions are established. 

[Separate description F] 

Regarding the certifier (calculator), with respect to all k=1,...,m+n and all 
b,c e (0,1) , all the certifiers (calculators) a)a=1,.^, A uniquely and 
randomly generate ^ ^ e p Z/qZ and generate Z'C ^ > = [z< Ot )}g . 

With respect to all k=1 m, all b.c e {o,11 , and all p=1,...,A. the following date 

is generated. 
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With respect to all k=m+1 m+n. all b e {0,1} . and all p=1 A. the 

following date Is generated. 

With respect to all k=1 1 and all b € [0.1 ) , the following date is 

generated. 

Then, the following date is generated. 
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I a( A )b(.^j^ C( A ) P bj^jg Wl.^m*n:b=0.1:j8 =1 A • 
tA''^^*Ck]oWl....l;b=0,l. 

lA^^'^'-^WOOO. C«^)« ^ bej^^^^ l.=1...^*.c=0.1:^ =1....A- 
{Z<«)). 

1 A'<^5«'>«CI0000- '""=O000o)l<=l„.„,:b.e=O.1;/!=,....A. 
I A-( A ) a b^^^ C< A ) or ^ b^^3„ W,„„^i^.1 ^ ^ =, .... x • 

Furthermore, the following date is generated. 
d = HashCE,G. S) mod q 

In addition, the following date is generated. 

The certifier sets the following data as the proof. 
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z'<a) 

The verification method for the above-mentioned proof is as foilovA^. 
The verifier generates the following data. 

S = { [ a( A ^°Ck3000' ^ >^ ^^'CkDOOO- Jk=1._..m:b.c=0.1 =1 A • 

{ a( a )b^^^Q. c( A ) ^ b^j^Q y^^^^^^ ....m+n:b=0.1 : iS =1 _ A • 

..m;b.c=0.1:B=l„,A' 
lA«^>«''CkJO. C*^)"^ ^ Wl....m4T«b=0.1;ff=1....A- 

..^;b.c=0.1;^=1,.^,A' 
[-A'(A)ab^^^Q. C<A)Qf ^bj.j^^Q)^^^^,^ ^^^^ 

^At'(A)ab^^^Q^^^^^_^^^,^^,^^^.Jl 
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Then, d = Hash(E.G, S) mod q is calculated to obtain the 
following expression. 

[2"(a)]G = Z< [ e ]2( flf > 

After that, the following expressions are checked. 
With respect to all k=l,„.,m, b.C e [0,l), j8 =1...., A . 

With respect to all k=m+l....,m+n. be [0.1], /S =1 A . 

fc"(of)]A(A)b^^3Q=A<A)orbj.^^Q^{a]A+(A)Qrb^^-,jj 

Cz"( a >|c( A ) ^ b j-^-j^^ = C< A ) a ^ b ^ +[ 0 ]c*( A ) of ^ b ^^^^ 
With respect to all k=1 .....I. b S (0.1) . 

t"( ot )]At( A )bj.^^Q= At< A ) ab^^^^ 0 ]At+( A ) or b^^^^ 

[Separate description G] 

The calculator ) uniquely and randomly generates 
z<a)eRZ/qZ and generates At'j^,,;, = Cz< 0^ )] Atb^kJ ^j^^ 
respect to k=1 .....1. The certifier generates the following data. 
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Then, the certifier generates the following data. 
e = Hash(E,G, S) mod q 

The certifier generates the following data. 

z"(af)= 0 2(af)+2<Qr) mod q 

The certifier sets the following data as the proof. 

The verification method for the above-mentioned proof is as follows. The 
certifier generates the following data. 

tA+'CkDJk=i..jl 

The certifier generates the following data. 

e = HashCE.G, S) mod q 

When the certifier confirms the following data, the certifier receives the 
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proof. 

k"(a)3Atbrkj^^j=At'[^.[e]A%3 

Second Embodiment 

A second embodiment of the present invention will be described with 
reference to Figs. 14 to 18. 

In this embodiment, as shown in Fig. 14. each of N calculation devices 
1401 has a calculation device 1403. Hereinafter, these calculation devices are 

referred to as U1 UN in order. For the sake of notation. UN is also referred to 

as UO. 

[Method outline] 
[Data flow] 

A data flow according to the second embodiment will be described with 
reference to Fig. 16. 

First of all, U1 of the calculation device 1401 calculates DATAOO. This is 
referred to as "a calculation of the zero-th cycle" (1701). 

Next, "a calculation of the first cycle" is performed. 

U1 calculates DATAi^ from DATAo^ to transmit DATA11 to U2 (1711). 

Next. U2 calculates DATAi^ from DATA11 to transmit DATA12 to U3 (1712). 

Hereinafter, the data is transmitted in turn. UN calculates DATAi*^ from 
DATAl'^"^ to transmit DATA1N to U1 (1710). At this point, the calculation of the 
first cycle is ended. 

Next, "a calculation of the second cycle" is performed. 

U1 calculates DATA2^ from DATA1N to transmit DATA21 to U2 (1721). 

Next, U2 calculates DATAa^ from DATA21 to transmit DATA21 to U3 (1722). 

Hereinafter, the data is transmitted in turn. UN calculates DATAz'^ from 
DATAa'^*^ to transmit DATA2N to U1 (1720). At this point, the calculation of the 
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second cycle is ended. 

Next, "a calculation of the third cycle" is performed. 

U1 calculates DATAa^ from DATA2N to transmit DATA21 to U2 (1731). 

Hereinafter, the data is transmitted In, turn. The protocol is completed 
when UN completes the calculation of DATA3N from DATAs'^"'*. 

[Input and output of the respective calculation devices 1401] 

Next, Input and output of data exchanged among the respective 
calculation devices 1401 will be described with reference to Fig. 14. 

Circuit information 1404 and a circuit partial input 1402 are input to the 
respective calculation devices 1401. 

Herein, a case will be described in which the number of fan-ins of 
elements other than input elements represented by the circuit information 1404 is 
2. 

An input bw to an input element w of the circuit is secretly owned by one of 
U1 UN. U1 is also referred to as UN+1. 

A combination of input bits secretly owned by Ul corresponds to the circuit 
partial input 1402. 

A circuit in which input elements i of the circuit represented by the circuit 
information 1404 are regarded as elements for outputting bw when any input is 
received is hereinafter expressed as C[1]. 

The number of fan-in of all gates of C[1] is 2. 

Fan-ins at the upper left and the lower right are referred to as L(w) and 

R(w). 

When the circuit information 1404 and the circuit partial input 1402 are 
input to the respective calculation devices 1401. Ul firstly performs the 
calculation of the zero-th cycle while following a procedure to be described later. 

The input and output in the calculations of the first to third cycles have the 
same data configuration. Data to be transmitted to Ukl in the calculation of an i- 
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th cycle by the user with respect to i=1,2.3 is hereinafter expressed as DATAiL 
DATAi-1N is also referred to as DATAIO. 

The result of the calculation performed by U1 in the calculation of the zero- 
th cycle is referred to as DATA01 . 

DATAi* has a fomiat of DATA,' =DATA,'-^ || BODY,' UPROOFi* || SIG,*. 

DATAil-1 Is a message sent from UI-1 . BODYil is a main body of the 
message. PROOFil Is a validity proof text of BODYil. SIGil is a signature of Ul 
for DATAIH || BODYil UPROOFiL 

The outline of the calculation of the first to third cycles will be described. 

In the calculation of the i-th cycle, first of all, Ul receives DATAil-1 from Ul- 
1 (1501). 

(Only U1 of the first cycle exceptionally uses DATA01 made by itself). 

When receiving DATAi*'\ Ul verifies all validity proof texts PROOF11, 
...,PROOFI.11 (1502). Next, Ul verifies all signature text SIG,\ .... SIGI-11 
(1503). 

Only in the case of the first cycle and also 1=1 , the calculation of 1 504 is 
performed. Next, Ul performs random number generation (1505). Then, Ul uses 
the random number to perform the main calculation to generate BODYil (1506). 
After the main calculation is completed, Ul generates a validity proof text 
PROOFil of BODYil (1507). Then, Ul generates a signature text SIGil with 
respect to DATAiH || BODYil || PROOFil (1508). 

Finally, Ul transmits DATAil =DATAiM || BODYil || PROOFil ||SIGil to UI+1 
(1509). 

[Symbol] 

Hereinafter, symbols used in this specification will be described. 
[Encryption method E[27]) 

G[1] denotes an abelian group with a difficult DDH problem (for example, 
an ellipse curve group on an infinite distance on an ellipse curve group on a finite 



63 



field), p denotes an order of G[1], and O denotes a zero element of G[1]. 

n is treated as a symbol and the following symbols are defined. It should 
be noted that with respect to P[|0|] S G[1] . (P[|0|],0) is abbreviated to be 
simply expressed as P[10|] and regarded as the following. 

FpC B[12], G[1] C G[12B] 

Then, a sum on G[12B] is defined by a sum for each component to obtain 

the following. 

W [12] ==312''^ is set. establishing 

G [12W] = G [12B] 
w[2] e W[12] 

a component of w[2] is expressed as [2|a|]. A sum and a product on 

W[12] are defined by a sum and a product for each component. Then, a sum 
and a scalar multiple on G[12W] are defined by a sum and a scalar multiple for 
each component 

• B[12]=Fp ir,-^ /(772-I), 

• 5^[24](1)=1, ,&[24](0)=;7, 

• aP[2]=(a[|0|]P[|0|]+a[|l|]P[ni],aa[|01]Pa[|11]+a[ni]Pa[|0|]) 

• W[12]«B[12] 

• e[|il]=(0,-,0,l,0,—,0) (only i-th is 1) 

• ^ C2] : Fo-^W[l2] Is set as X —5 „ ^ [2] (xtl « |])e[| a 1] 

^ Wherein 

• P[2]=(P[|0|3,P[11|]), P[23]=(P[3|0|].P[3|1|]) e G[12B3, 

a=a[|0|]+a[ll|]7 e B[12]s P[2]= 
(PCI0|],P[|1|3) e GI12B], 

• K ' the number of bits of p, 

• x=x[|k-l|] II II xLIOj], 

• G[12W]=6[12B] «■ , 

The encryption method E[27] is a resemblance of an ellipse EIGamal 
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encryption in G[12W]. 

A secret key space is denoted by Fp, a public l<ey space is denoted by 
G[12W]2, a plaintext space is denoted by G[^2W\. and a random number space 
is denoted by W[1 2]. 

In order to generate a key, a key satisfying P[|0|].PI|1|];^O if 
P=P[|0|]+nP(|1|] is arbitrarily selected. By randomly selecting a ^ Pp ,Q=aPis 
satisfied, a denotes a secret key and (P.Q) denotes a public key. In order to 
cipher a plain text M. r e b[12] is uniquely and randomly selected to calculate 
a cipher text (P[3],Q(3])=(rP.M+rQ). In order to decipher (P[3].Q[3]). Q[3]-aP[3] 
may be calculated. 
[Encryption methods E(2].E[25)] 

The following data is defined: 

• K[l]={ |x[lwHh|]KweC[1],WejUR),h€|0.l)amnintt„ouflh)( x[|v»V(h|]eFp 

• A[l2]=i I a[2|WWi)k|]l (lweC[l],We(L,R).i, j,k€l0,inaren.nlhn,u9h)|al 

• A[125]=i [ A[25|*iWiik|i[6]j[6]kC6]](iwec[l],We|L,R)J,i[6],i,jl 

I A[25|WWi jkl I [B] j [6]k[6]] ew[12]l 

• 6[11K|]=1 lP[|wWhl]l (iwec[1],We{L,R),he|0jnB.en.nih™ugh)|P[|wWh 

• G[12|Al]=l I P[2|wWi jkl]| (weCCl],We (L.R) . i, j, ks.io.ll j ) |P[21wWi. 

• G[1241A|]=i 1 PC24|wWijk|iC6]j[6]k[6]]| 

( lwec[l],We (URl . i, j, k, i [6], i [6], k[G]e (0, 1} ) a«n«.ihn«9h) 
|P[24lwWMk| i [6] j C6]k[6]]eG[l2W3, 

• aA=(aA[t1|],aA[|2|]) 

• a[5]A[5]t=(a[5]A[5|1 |],a[5]A[5l2|]) 
• Wherein 

• a eA[12] 

• A=(a[|l|],A[I21]) e G[l2|A|]2 

• a [5] e A[125] 

• A[5]=(A[5ni3.A[5|2|]) e G[124|A|]2 



A wWh component of the original x of k is referred to as x[|wWh|]. A wWijk 
component of the original x(21 of A[12] is referred to as x[|wWijk|]. A component 
of the original A[25] of A[125] Is referred to as x[|wWijkli[61j[6]k[6]]. 
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A sum. a product, and a scalar multiple of a multiple sequence alignment 
are defined by a sum and a product for each component. However, exceptionally, 
only a product of the originals of A[125] and a scalar multiple of the original of 
A[125] of the original of G[124|A|] are defined as follows. 

• af25]*b[25]=Zi[7],j[7],k[7] 

a[25|wWiik|i[7]j[7lk[7]] 

b[25|wHi [7] j [7]k[7] 1 i [6] j [6]k[6]] , 

• a[25]*P[24l=Z a[25|wWi jkl i [7]i [7]k[7]] 

P[24|W«i[7] j[7] k[73|i[73j[7]k[7]] 

(A sum related to ! i [7] , j [7] , kC7] ) 
The following symbols are defined. 



• E[25]C{Z[2]1s[25])](MC25]) 

|E[27][(Z[2] |s[25|WWi jkj i [6] j [6]k[6]3)] (M[25|wWi jk} i [6] j[6]k[6]])) 

• E[25][(Y[2]|s[25])](MC25]) 

E[25][(sC25]|Zi:25])](MC253) 

• E[2l[(x[2]|r[2])](M[2]} 

St 

lEC27][(x[2|wWijk|3lr[2|WWiik|])](MC2|wWljk|]) 

• E[23[(Y[2]|r[23>3(M[23) 

. .i[23C(x[23lr[23>3(M[23) 

• \A/Hereln 

• M[25]= (MC25|WWi jkj i [63 j C63k[6331 , 

M[25|wWijk|i[63i[6]k[6]] e G[12W] 

• Z[23= {Z [25 1 wWi i k I i [63 j [6] k [B] 3 } . 

(Z[25|v»Wljkli[6]j[63k[5]3 e G[12W32) 

• s[25]=|s[25|WWijk|i[6]j[63k[633) eA[l25] 

• Y[23=(P[23,r[23)e6[12W3, 

. • Z[253=|Y[23) [|wHjjk|i[63j[6]k[6]3 

• M[23=lMt2lWWiik|3][lv«Wlik|3 (M[2|wWijk|3 e G[12W3) 

• x[23=(P[23,Q[23)=(|P[2|*WUk|]|, { Q[23 

[jwWijkj])) 

(P[2|wWiikl3, Q[2lwWijkl3€G[12W3), 

• r[23=ir[2|wWijk|3K r[2|WWi jk|]€ j)W[123 
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The encryption methods E(2], E[25] are referred to as a multiple sequence 
alignment EIGamal encryption on a true value group ring and an extended 
multiple sequence alignment EIGamal encryption on the true value group ring, 
respectively. 

[Other symbol] 

• h[:l|w|](ijk))=(in[|w|]i)Ok 

• F[25:l| A [ni], Xi\2\li A[|2|)|](x[2])= 

|x[2:l|wh[|w|3(ijk)|] 
(i,i[6]OA[|1w|]). 
^(j,i[6]OA[|2w|]), 
^(k,k[6]OA[|3w|])) 

(A field related to wW I i [6] j j [6] kk [6]) 

• J[23(x[2]) e A[l2]=JC2](x[2])={xC2|W(w)i[w]|]. 

• »r[2](a[25])=jZa[25|v^ijk|i[G]j[6]k[6]]) [lijkj]) 

(The sum Is a sum related to i [6] ^ j £6] s k[6]) 
Wherein the following is defined. 

• A[m]=| AtllwIlK ;iC|2|]=lA[|2w|]}, 

A [| 3|]= { A [ 1 3w| ]) : Afield of bit (Afield related to weC [1]) 

• x[2]=lx[2lwWh|]} x[2|wWhl3e w[l2i, 
1^ fOJ ;An exclusive OR for each bit 

• [ I W I ] J : An operator for a calculation with an element w 

(It should be noted that when w is the input element, bw is owned by 
oneof 0[|w|]j=Uif b„is U^. U,_,, 
iD[|w|]j=0 (othewise) 

• ^ ( i , i [6] ) : Kronecker delta 

• i[W]=i (if w=L), i[W]=j (if w=R), 

• a[25]=ja[25|wWijkli[6]jC6]k[6]]} e a[125] 



From a simple calculation, it is understood that the following is established: 
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• (a t25]*b[25] ) c[25]=a[25] * (b[25] *c[25] ) . 

• (a[25]*b[25])P[2]=a(25]*(b[25] |}P[2]), 

• F[25:l| ACann. A[3|2|], A [3|3|] 

*F[25:i| A[|1|], AC|2|], A[l3|].|](x[2]) 

F[25:l| AC3ni]OA[|1|]. A[3|2|]bA[|2|]. A [3|3|]0 A [|3|] |] (x[2]) 

• F[25:l| ACn|], AC12I], A[|3|]|](x[2]) 

*F[25:l|0, 0,013 (xC23])^C25| A[11|], A[|2|], AEl3|]|3(x[2]Ox [23]) 
Wherein 

• a[25].b[253,c[253eA[l253. 

• a[2].b[23eA[l2], 

• x[2],x[23] e K, 

• A[|ll]-{A[|lwl3), A[|2|]=|A[|2w|3| 

A[|3|]=|A[|3w|3), 
A[3n|]=|A[|1w|31s 
A[3|2|]=|A[|2w|]K 
A[313|]=|A[|3wl3) : Bit array 

• I e II, -.Nl 

[Detail of the calculation of the zero-th cycle] 

A detail of the calculation of the zero-th cycle will be described. 

A description will be given of a method in which U1 calculates BODY10. 

U1 calculates the following expressions. 
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• x[:0|wWh|]=0, 

• xC2:0|\NWh|l 

^[2](x[:0|wWh|]), 

• x[:0] 

lx[:0|wWh|]}. 

• x[2:o] 

lx[2:0lwWh|}K 

• A[:o]=iA [:o|w|]=!o), 

AtL:0]=lA[:0|L(w)|]=|OK 
A[R:0]={A[:0|R(w)|]=|0), 

• r[2:0]=lr[2:0|»»Wi jk|]| = |Ol (Afield related to wWijk) 

• yC:o]=o. 

r[2:o]=^[:o]p[2] (=o), Y[2:0]=(P[2], r[2:0]) 

• s[2:0|S|]s{(e[2:0|Si])[|wWi kl i [6] j[6]k[6]]) 

= 10) [lttWnkli[6]jC6]k[6]], 

• s[2:0|T|]=l(s[2:0|Tl]) [IWlNi jkl i [6] J [5]k[6]]l 

= 10) [|wWijkli[6]i[6]k[6]], 

• s[25U:0]=i(s[25U:O|viWijk|i[6]jC6]kt6]]) 

= |0) [|wWijk|i[6]j[6]k[6]], 

• (S[2:o],TC2:o],u[25:o]) = (E[2l[(Y[2:0]|s[2:01S|])](r[2:03PC2]) 

• E[2K(Y[2:0]!s[2:oiT|])](r[2:o]0[2:o]), 

• E[25][(Y[2:0]|s[25R:0])](F[25:l| a[l:o], a[r:o], a [:0]1](xC2:o])p[2]) 

(Q[2:0],r[2:0]) II (sC2:03,T[2:0],U[25:0]). 
Wherein 

• we|}c[l],W6 jurt,hejo,ll,l,i,ke|ojl 
[Detail of calculation of the first cycle] 

A multi party calculation of the first cycle will be described. The description 
will be given with reference to Fig. 15. 
[Detail of data obtainment 1501] 

Each U1 receives data DATA1I-1 from UI-1. (Only U1 calculates data \ 
DATA1I-1=DATA10 by its own exceptionally). 

[Detail of validity 1502 of the proof text in data] 

When DATA1I-1 || BODY1I-1 jj PROOF1I-1 || SIG1I-1 jj is sent from UI-1. 
Ul checks the validity of PROOF,^ PROOFi'-\ A detail of this validity check 
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will be described later. 

[Detail of validity 1503 of the signature text in data] 

Ul checks the validity of SIG11, .... SIG1I-1. Furthermore, a hash value P 
of RAND is calculated to check P[2]=(e[|0|]+...+e[|K-1|])(1+n)P. 

[Detail of calculation performed only by Ul] 
■ U1 first select a random number RAND to set a hash value of RAND as 
follows. 

P€G[13 

Then. P[2]=(e[|0|]+...+e[|K-1|])P[2B] is set to establish BODY1-1= RAND || 
P[2]. After that. BODY10 is generated by itself while following a procedure to be 
described later and further PROOF10=SIG10=e is set. thereby establishing 
DATAl 0=RAND||BODY1 OjjPROOFI OjjSIGl 0. 

[Detail of random number generation] 

U1 randomly selects the following (but the selection is made while 
descriptions In brackets are satisfied): 

• ixWilwhIll (x[#llw[t]O|]}=0, 

x[O#l|w[t]0|]=l, 

xLtl |wh|]eK[|],The mostsignlficantbitofeachxCttl Iwhilis 1). 

• ix[|Y(Wh|]),x[|wWh|] e{o,l} (x[#nwLh|]OxC#l|wHh|]=x[lH|wh|]) 
lw€C[1].We{L,R}, he 10,1)1 

• r[2]=|r[2|wWlik|])eA[l2], 

• r[21wWijk|]eFp«-c=B[12] f =W[12], 

• s[2|S|]={(s[2|S|])[|wWiik|]}eA[12]. 

• s[2|T|]=l(s[2|Tj])[|wWiik|]leA[l2], 

• s[25U]=(s[25UlwWijk| i [6]] [6}k[6]]| SA[125]. 

• A [#I]=IA [#l|w|]} (Freld6fthe"bit. A [|w[t]|]=0) 

• yC#l]e FpC K 

•\Nt output element 
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With respect to the input element w. x[#l|L(w)0I]=x[#l|R(w)1 1]=0 Is defined 
for form's sake. 

The following symbols are defined. 



x[:l|wWh|]«Ox[#y IwWhl], 
(An exclusive OR in the range of r^i is taken). 

x[:l]={x[:Uwrti!lh|]|, 

x[2#l |wWh|]=i^ [2] (x[#l IwWhl]), 

x[2#l]=ix[2#nv«Hh|]}, 

xC2: 1 lwWhl]=^^ I2: )] (xClwWhl]) , 

x[2:l3= {x[2:ilv«Whl3K 

A[tl]«iA[#l|w|]}, 
A[L#l] = iA[#l|L(vy)|]}, 
A[R#l}={A[#l|R(w)|]), 

A [: I [w|]=5: A [#y I wl ], (A sum in the range of y^l is taken) 
A[:l]=iA[:l|w|]), 
ACL:l]=lA[:l|L(w)|]}, 
A[r:i]=|a[:iir(w)|]}, 
# Y[2:l]=(P[2],y[:l]P[2]), 

y[:l]=ZyL#l],(A sum in the range of r is taken) 

The following fact regarding the proposed method can be mentioned. 
When the users comply with the protocol, the data BODY1I sent by each Ul 
satisfies the following. 

• BODY1 1 = (QI2:l].rI2:l]) || (s[2:l].T[2:l].U[25:l]), 
.(Qt2:l].r[2:l])=J[2](x[2:l])PI21.yI:llP[2]). 
.(s[2:ll.T[2:l].U[25:l])=(EI2I[(Y[2:ll|s[2][S:l])](r[2:l]P[21). 
E[2][(Yt2:ll|st2:l|Tn)l(r[2:l]Q[2:l]). 

E[25][(Y[2:l]|s[25U:ll)](F[25:l|A[L:l].AIR:l],A[:l]|l(x[2:ll)P[21) 
Wherein 
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• s[2:ris|] 

Z s [2# y I S I ] (A sum in the range of y ^ Ms taken) : 

• s[2:l|T|] . ^ 

2s[2#y|T|]. 

s[25U:l]= C235U:l]+sC25U#l], 
s[235U:i] 

FC25:IU[L#1], A[R#I], 

* s[25u:i-i3 

* F[25: 1 10.0,01] (x[2*l]). 
[Detail of maii calculation 1506] 

A maii calculation 1506 of the multi party calculation of the first cycle will 
be described with reference to Fig. 17. 

A description will be given of a method in which Ul calculates BODY1I. 

[Detail of mail calculation 1701] 

First of all, Ul calculates the following expressions. 

• Q[2:l]=J[2]x[2#ll)Q[2:|.1J 

• rI2:l]=y[#l]P[2]+r[2:l-1] 

[Data exchange 1702] 

Then, the following expressions are calculated. 

• S[23:l]=r[2#l]s[2:l-1] 

• Tl23:l]=r[2#l]J(2J(x[2#l])T[2:l-1 ] 

• U[235:ll=F[25:l|A[L#l].A(R#ll.A[#l]|l(1)*U[25:l-1]*F[25:l|0,0.0I](x{2#ll) 

It should be noted that the following can be satisfied: 
. Q[2:l]=J[2](x[2:l])P[2]. 
. r[2:l]=y[:l]P(2]. 

. S[23:l]=E[21I(Y[2:l-1]|s[2:l-1 |Sl])](r[2:l]P[2]). 
. T[23:l]= EI2][(Y[2:l-1]|s[2:l-1|T|])l(r[2:l]Q[2:ll). 

.UI236:ll=E[25][(Y(2:l-1]|s[235U:ll)](F[25:l|A(L:l].A[R:l],A[:ll|l(x(2:IJ)P[21). 
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Wherein 

.s[235U:ll=F[25:l|AlL#l),A[R#ll.A[#ll|](1) 
*s[25U:l-1l*F[25:l|0.0.0|](x[2#ll) 

[Reencryption-secret key conversion 1703, reencryption-random number 
conversion 1704, validity proof text generation 1507, signature text generation 
1508, data transmission 1509] 

Finally, Ul calculates the following expressions. (Reference numerals in 
figures are in parentheses). 
•(1703)s[233:l]=S[23:ll1 |].S[23:l|2|]+y[#l]st2:l|1 11). 
•T[233:ll=T[23:[|1|],T[23:ll2|]+y[#l]T[2:l|1|]). 
•T[2335:ll=(U[235:l|1|].U[235:l|2|]+y[#l]U[25:i|1|]). 
•(1704) 

s[2:l]=s[233:IJ-»-E[2)[(Y[2:l)|s[2#1|S|])](0). 

T[2:l]=T[233:l]+E[21[(Y(2:l]|s(2#1|T|l)l(0) 

U[235:I]=(U[235:I|1|].U[235:I|2|]). 

U[25:IJ=Tl2335:ll+E[25][(Y[2:l]|sI25U#l])](0). 

(s[2:ll.TI2:l].U[25:l]) 

=(E[2][(Y[2:l]|s[2:l|S|])](r[2:ilP[2]). 

El21[(Yl2:l]|5l2:l|T|l)](r[2:llQ[2:l]). 

EI25][(YI2:l]|s[25U:ll)l 

(F[25:!][(A[L:l],A[R:l].A[:l]|)](x[2:l]P[2]), 

•(1507) 

•(1508) 

•A signature of BODY1l=s(2:l) DATA1l-1 || BODY1H || PROOF1I-1 
SIG1I is generated. 

•(1509)DATA1I=DATA1I-1 || BODY1I || PROOF1I || SIG1IDATA1I is set as UI+1 
Wherein 

• S[23:l]=E[2][(Y[2:l-1l|s[2:l-1|S|])](r[2:llP[2l). 
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• T[23:l]=E[2l[(Y[2:l-1]|s[2:H |T|])](r[2:l]P[2]), 

• U[235:I]=E[25lI(Y[2:M]ls[25U:l.1])](r[25:l]P[2]). 

• S[23:I]=(S[23:I|1 |].S[23:I|2|]). 

• T[23:l]=(T(23:lt1|]T[23:l|2|]). 

• T[23:I]=(T[23:I|1|],T[23:I|2|]). 

A detail of the validity proof text is long so the description will be given later. 

DATA1l=(Q[2:l].r[2:i]) I| (sI2:l],T[2:l].U[25:l]) is sent to UI+1. 

It should be noted that the follov^ing fact can be mentioned: 
•S[233:l] =E[2][(Y[2:ll|sI2:l.1 |S|l)](r[2:l]P[2]), 
•s[2:l] = E[2][(Y[2:ll|s[2:l|S|])](r[2:l]P[2]). 

[Detail of calculation of the second cycle] 

A detail of the calculation of the second cycle will be described with 
reference to Fig. 15. 

[Detail of the data obtainment 1501] 

Each Ul receives data DATA2l-1=DATA2l-2 || BODY2I-1 || PROOF2I-1 || 
SIG2MfromUM. 

[Verification 1 502 of proof text in data, Verification 1 503 of signature text in 
data, calculation 1504 performed only by Ul, detail of random number 
generation 1505. cipher calculation 1801 on Fp] 

Calculations described below are performed. 
•(1502) Validity verification of PROOF21 || ... |1 PROOF2H (the detail will be 
described below) 

•(1503) Validity verification of SIG21 || ... || SIG2H 
•(1504) No process is performed. 
•(1505) No process is performed. 

[Detail of the main calculation 1506] 

A detail of the main calculation in the calculation of the second cycle will 
be described with reference to Fig. 1 8. 
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[Calculation of ciphers on Fp 1801] 

Hereinafter, this section omits the additional character r:Nj 

Ul performs the following calculations: 
•s[2U]=TT[2](s[25U]), 
•m[2S]= r[2], 
.m[2T]= rI21J[2](x[2]). 
.mI2U]= FI25|AILJ.A[R].A|l(x[2)). 
.U(21=Tr[21(U[25]) 
.(s[2].T[21,U[2]) 
=E{21[(Y[2]|s[2|S|])](mI2S]PI2]). 
E[2]I(Y[2]|s[2|T|])](m[2TJPI2]). 
E[2][(Y[2]|s[2U])](m[2U]P[2]) 

Wherein 
•X-{(P.x[|wh|]P)}.Y-{(P.yP)}. 
•EI11[(r|X)](A)={E[7]((r(|wWijk|l|X)](A[|wWijk|lP)} 
•E[7]: An encryption function of an ellipse EIGamal encryption method. 

Then, the following calculations are performed. 
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• (s [24V 1 wW i j k I ] = Z s [2V 1 wW i j k I ] . (A sum related to a is taken) 

• (m[24V I WWi j k I ]= Z 2 « m[2V] ) [ | « i j k I ] , (A sum related to a Is taken) 

• (s[24V|wV»ijkl3P[2B||]=Z2«s[2V|^rwHijk|]P[2]) ,(A sum related to a Is taken) 

• s [24V3p[2B]=(s[4V 1 0, wWi j k I ]P, s [4V | 1 , wWij k| ]P) , 

• (m [24 V I i j k I ] + ( s [24V I v»Vi i j k I ] y) P [2B.] 

Z2«fin[2V| awWlik|3+sr2Y|«rWWijk|])yP[2B](A sum related to o is taken) 



' Wherein 

• (s[2V|wWijk|] 

ZsC2V| orwWi jk|]e[ar] (A sum related to a is taken) 

• (s[24V|wWiik|]=((s[V|0,wWijkl],(s[V])[|1,wWijk|]) 

• (m[2V|wWijk|]MD[2V|WHijkl3 

Zn)[2Var jwWi jk|3e[| a |3,(Asum related to a is taken) 

• ra[24V|wWiik|3«(ra[4V|0,WI(llijk|3,mC4V|l,wWijk|3), 

• P[2] 

t e i I ir 1 3 P [2B] (A sum related to a is taken) 

• P[2B3=(P,P>, Pen6[l3. 

• V[23 

i[2] [(Y[23 |s[2V3)3 (r[23P[23) 

"(s[2V3P[23,m[2V3P[2]+s[2V3 r [23) . 

• s[2V|wWijk|3P[2] 

Z (s[2V<r I vWi jkj 3e[ I a | 3P[2B3 , (A sum related to a is taken) 

• (ai[2V|wWijk|3+s[2V|wWiikl3 - y)P[2B3 e W[123 

S (((ro[2V3) [| a 13) [|wWlikl3+s[2V| « | jwWi jk|]yP[2B3o[| a l3o 
(A sum related to a is taken) 

• (m[24ViwWijk|34-s[24V|wWijklly)P[2B] 

s 

(m[4V|0,wWijk|3+s[V|0,WWijkl3Y)P. 
(tn[4V|1,WI«jjkl3+s[V|0,wWijkl3y>P 



Thus, Ul can obtain the following: 
•s[V|0,wWiJk|]P, s[V|1,wWijk(3P, 
•m[4V|0.wWijk|]+s[V|0.wWijk|]y)P. 
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m[4V|1 .\AAWijk|]+s[V|0,wWijk|]y)P, 

Moreover, the following calculations are performed. 
•R=yP. Y=(P.R) 
•(sIVIO,wWijk|]P. 
(m[4V|0.wWijk|]+s[V|0.wWijk|]y)P 
=E[(s[V|0.wWijk|l|Y)](m[4V|0.wWljk|]P). 
•(S.T+U) 

=(E(3K(s[4S0].s[4T0]+s[4U0]|Y)l.E[1][(r[40l|J(X))](F[|A[L].A[R].Al](x)) 
•{(0[|wWijk|].0'[|WWijk|l)} 

=E[3]I(s[4S0].s[4T0]+s[4U0]lY)].E[1][(r[40]|J(X))]{F[|X[L].X[R].A|](x)) 

.©[&O]={(0[|wWijO|].©'[|wWijO|])} 

•R[&0]=RO 

Wherein 
.r[2]=R[|0|]+R[|1|ln 

[Calculation of 0[&1] 1802, detail of the validity verification text generation 
1507, detail of the signature text generation 1508, detail of the data transmission 
1509] 

Furthermore, the following calculations are performed: 
•(1802) 

•0[&1l=0[&l-1H0[|O|][&l-1].©l|1|][&l-l]-yl&l]0[|O|]t&l-1]). 
•BODY2I=:0[&I1. 

Wherein 
•BODY2I-1=0[&I-1]. 
.©[&I-1]=(©[&I-1][0],©(&I-111|1) 
•(1508) 
•(1803) 

•BODY2I = s[2:l] 

•SIG2I: A signature is given to DATA2I-1 \\ BODY2I |t PROOF2I 
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Then. DATA2I=DATA2I-1 || BODY2I || PROOF2I || SIG2I is transmitted to 
UI+1 (1509). 

[Detail of the calculation of the third cycle] 

A detail of the calculation of the third cycle will be described with reference 
to Fig. 15. 

When DATA3''^=DATA3l-2 || BODY3I || PROOF3I || SIG3I is sent from Um 

(1501), firstly, the validity of PROOFa^ PROOF3I-1. SIG3I SIG3I-1 is 

checked (1502.1503). (1504) and (1505) are not the calculations of the third 
cycle. BODY3l=E Is established (1506) and PROOF3l=e is established (1507). 
Then, a signature SIG3I for DATA3I-1 || BODY3I || PROOFS! is generated (1508) 
and DATA3I=DATA3I-1 || BODY3I || PROOF3I || SIG3I is established to send 
DATA3I to Ul (1509). 

[Method of obtaining C[1]({b[|w|]}) 1405) 

A method of obtaining C[1I({b[|w|]}) will be described. 

First, as x[#l|L(w)0|]=x[#l|R(w)1|I='0 is established with respect to the input 
element w. {El1][(|{X[|W(w)i[lW|)|]})M|wWh[3](ij0)|l)} Is solved entirely to obtain 
Xx[|wWhl31(ij0)|]=x[|wWp[w]|]. Then, x[31w|]=x[|w|j[w]|]=x[|wLM[w]|]o{}x[|wR|j[w]|] 
is calculated to establish |J[w]=h[3](ij0). 

Incidentally, with respect to each element w from the bottom to the stage 
of u-1 , x[|m[|w|]|] Is found out. 

The following calculations are performed to find out x[|p[|w|]]] at the u 

stage. 

.E[1][(|X[|L(w)Ml|L(w)|l|])) 

(x[|{wWh[3](M[|L(w)|lj0)}|]), 

E(1]l(|X[|R(w)M[|R(w)|)|l)] 

(x[|wWh[3](iM[|R(w)0)|]|l) (i,j=0.1) 

are solved with use of x[|W(w)p[|W(w)|]|]. 

.xI|whI3]M[|L(w)|lM[|R(w)0|]|]= 
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ox[|wWh(3]ML(w)p[|R(w)0|]|] 
(An exclusive OR with respect to W) 
Wherein 

•h[3](ijk)=ht|w|]((ioA[|L(w)|])aoA[|R(w)|])(i<oA[|w|])) 

•|j[w]=b[|w|]oA[|w|] are set 

•b[|w|]: The output of the element w 

.x[3|w|]=x[|wM[w]|] 

xIlM[|wt|t|]|]|]=|Jt|[|w[|t|]|l|]=bI|[|w[|t|]|)|]=C[1l({b[|w|]}) is finally output. 
[Validity proof for the calculation of the first cycle] 
[Detail of the validity proof generation 1507 for the calculation of the first 

cycle] 

The following symbols are defined. 

• A[l2|Fpl3=Ua[2|wWtik|]}|a[2|wWijk|]eFp[. 

• F[25:i|a[|0|]b[lO|]c[|0|]|a[M|]b[|1|]c[ni]](u[2])eA[l2]issetas 

F[25:l|abc|a[|6|]b[|6|3cC|6|]](u[2]) 

(x[2|h[:llwaC|lOiC6]|]b[|jOj[63l]c[lkOk[6]|]|]l](ijk)} 
• Wherein 

• w : element 

• z[2]eK[l2], 

• a[2]eA[12], 

• a[25]eA[125]. 

• a[|0|],a[|11],b[10|],b[n|].cC|0|],c[n|],e Fp, 

• u[23eK[12], 

In this section, the additional character r:i-i j is omitted for the sake of 
simplicity. 

The l<nowledge is proved through the following method. 
First of all, a random number is put in a hash function to generate the 
following. 
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PC63eG[l] 

The following calculations are performed. 
.P[26B]=(1+n)P. 

•P[26]=ZP[26Ble[|a(]. (A sum related to a is taken) 
• NOT(A)={NOT(At|w|D} 

Ul generates PROOF1I in a procedure described below. The following 
data is randomly and uniquely selected. 

x[26#l]e«, 

/.[26#l|S[23]|]eAi:i232, 

p[26#l|S[233l||2|]SA[12], 

p[26T[2&l]#I]sA[12]2, 

/>[26TC233]#I]€A[12]2 
/>[26TC233]#l|2ll€A[l2], 
P C246#l |T[233] 1 12|] eA[l2]2, 
p [256# 1 1 U [25&1 ] ! ] eA[l 25]2, 
/>[256#l| X l3eA[l25], 
p [256# II U [25&2] I ] eA[l 25] , 
. p[2561tl|U[25&3]|]eA[l25], 
p [256^^ 1 1 U [235 : 1 ] I ] e A[l 25] 
p [256#l |T[2335: 1] | |2|]eA[12]. 

Then, the following calculations are performed. 
•C12x(2]#l|I|awWh|]|]=x[2#l|awWh|]P[2Bl+(x[26#l|awWh|lPE26Bl.C[2x[21#l]={Ze[|a 
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i]C[2xI2]#l|[|awWh|]|l}[|wWh|]. (A sum related to o Is taken) 
.C[2#I|S[23]|] = S[23:ll +p[26SI23]#l]P[26].T[S[231#l]=p[26S[23]#l], 
.C[2S[23}#I]=(C[2S[23]#1|1|].(C[2S[23]#1])[|2|]) is described as 
(C[2St23)#l|1|].Cl2S[23]#l|2|l). 
C[y.C[2S[23l]#l|1|] 

yC[2S[23]#l|1 1] +p[26S[233]#l|2|lP[26||]{A[12]}. 

C[2S[233]#l]=(CI2St23]#l|1|l.CI2S[233]#l|2|l). 

C[2SI233]#l|2n=CI2S[23]#l|2|l+C[2y.C[2S[23]]#l|1|]. 

T[SI233]#l]=(T(St23]#l|1|], 

T[S[23]#l|2|]+yTtS[23]#l|1l]+p[26S[233]#l)). 

Wherein (t[S[23]#I|1|3. t[S[23]#I|2|1) =(tIS[23]#I]). 
.C[2T[2&1]#l]=T[2&1:ll+p{26TI2&1]#l]P[26l is set as. t[T[2&11#I1 = p[26TI2&1]#l], 
.C[2T[2331#l]=T[233:l]+p[26T[233]#l]P[26].T[T[233]#I]=p[26T[233]#i], 
•Ct2Tt23:l]#l]=(C[2T[23:II#l|1|].Ct2T[23:l]#l|2|]) is described as 
(C[2T[23:l]#l|1|l.C[2TI23:l]#l|2|]). 

C(y.C[2T(23:l]]#l|1|]=yC[2T[23:l]#l|1|l +P[26T[233]#I|2|1P[26A[12]), 

C(2T[233]#I]=(C[2T[23:I]#I|1|],C[2T[233]#I|2|]). 

C[2T[233]#l|2|]=C[2T[23:l]#l|2|]+C[2y.C[2T[23:ll]#l|1ll. 

T[T(233]#I]=(T[T[23:I]#I|1|1. 

T[Tr23:ll#l|2|]+yT[T[23:ll#l|1|l+p[26T[233]#IJ). 

Wherein (t|T[23:I]#I|1|]. T[Tt23:l]#l|2|]) =Trr[23:l]#l]. 
•K[2y.C[2T[233]]#l|1 |]=y[4#l]C[2TI23:l]]+p[246T[233]#l|1 |]P[26]. 
•c[25U[25&1]#l]=U[25&1:ll+pI256#l|U(25&1]|]P[26].T[U[25&1l#l]=p[256#l|UI25&1I 
|] 

•C[2A#l]=A[#l]P[2]+p[256#l|A|lP. 

.p[256NOT(A)#IJ=-p[256A#l].C[2NOT(A)#ll=P[2]-C[2A#ll. 

•C[2U[25&2]#ll=F[25:l|A(L)000|NOT(A)[L)00J(u[2])C[2U[25&1l#l]+p[256#llU(25&2 
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]I1PI261. 

Wherein NOT(A)[L]={NOT(\)[|L(w)|l>. 
TlU[25&2l#l]=F[25:l|A[L]000|NOT(A)[L]00](u[2l)T[U[25&1]#l]+p[256#l|UI25&2]|]. 

•C(2Ul25&3]#l]=FI25:l|0AtR]0|0NOT(A)[R]0](u[2])C[2U(25&21#l]+p(256U[25&3]#l] 
P126]. 

Wherein 

NOT(A)[R]={NOT(A)[R|R(w)|]>. 
T[U[25&3]#l]=F[25:l|0AtR10|0NOT(A)[R]01(u(2])TlU[2S&2]#ll+p[256U[25&3]#l]. 
•C[2U[235:l]#l]=F[25:l|00A|00NOT(A)l(u[2])C[2Ut25&3]#l]. 

T[U[235:l]#l]=FI25:l|00A|00NOT(A))(u[2j)T[U[25&3J#l), 
•C(2U[235:I]#I]=((C[2U[235:I]#I])(|1|].(C(2UI235:I1#I])[|2|]) is described as 
(C[2U[235:I]#I|1 |],C[2U[235:I]#I|2|]). 

C[y,C[2U[235:ll]#l|1 |]=yC[2U(235:l]#l|1 1] +pl256#l|T[2335:l]||2|]P[26A[12]]. 
C[2T[2335:l]#l]=(C[2U[235:l]#lj1|].CI2T[2335:l]#l|2|l). 
C[2T[2335:I1#I|2|]=C[2U[235:I]#I|2|1 +C[2y.C[2U(235:l]]#l|1 1]. 
Trr[2335:i]#l]=(T[U[235:ll#l|1|]. 
T[U[235:l]#l|2I]+yTlU[235:ll#l|1|]+p[256TI2335:l]#l]), 

Wherein (t[U[235:I]#I|1|], T[U[235:l]#i|21]) =t[U[235:I]#I]. 

Furtherrhore, the following expressions are calculated. 



I 
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• In the case of x{2|awWh|]P[2B]=1 

•With respect to each avm, xC246&l I wWh | ] eB[l ] Is randomly 
selected to calculate K[2&1 1 awWh|]= xC246&1 1 ta'wWh|]P[26B] 

IP Randomly. 

x[29&77 I £rwWh|], 

C [2& 77 I £r wWh I ] SB [1 ] selected to calculate 
K[28i;7 I ttwWhl] 

x[29&;; |awWh|]P[26] 

-c[2&7 I **wKllhI](C[2x[2]| awWhll-^PM) 

•In the case of x[2|awWh|]P[2B]=n. 

•With respect to each orwWh, x[246&;7 lawWhl]eB[l3 Is randomly 
selected to calculate K[2&37 j a-wWh|3= xl24S&fj j awWhl]PC26B] 

lb Randomly, 

x[29&1l<ywyVh|], c[2&1|crwWh|] 
€B[1] is selected to calculate 

K [2&1 1 a wWh |J=x L29&1 1 a v»Wh I J P L26 J 
-c[2&l I arwWhj] (C[2x[2] I arwWh|]-PC2B]) 
and 

(K[2&1|awWh|], 
(IC[2&7 |<rwWh|] 



Moreover, the following data Is uniquely and randomly selected. 
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x[24#l], x[246#|] e A[12], 
y[4#I]S Fp, 

r[Z4#l]eA[l2Fp]. 
/,[246S[23]#|]GA[12]2, 

/> [246S[233]#I |2|] eA[12]2, 
s[24S#l]eA[l25]. r [4S[233]#l] eA[l25]2 

r[24#l]SA[12Fp3. 
p[24CT[2&l]#l]eA[l2]2, 

/>[246TC233]#l]eA[12]2 

s[24T#l3eACl25]. t [4T[233]#I] eA[l25]2 

;j[2456U[25&l]#|] 
e A[125]2, 

/>[2456/»#0eA[l25], 
A[4#l]eFp, 

N0T(A)[4#I], 

(N0T(A)[4tl|w|]}. 
N0T(A)[#l|w|3 

/jC2456U[258i2]#l]e A[125], 

p C2456T[2335: |21]eACl2]2, 

s[245U#l]eA[125]. r C4T[2335: eA[125]2, 

Then, the following expressions are calculated. 
•K[2x[21#l]=x[24#l]P[2]+x[246#llP[26], 
•Kt2J[21(x).Q[2]#ll=J[21(x[241)Q[21. 
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K[2y#l]a=Y[4#l]Pe f^c b[1], 

•KI2rI2],s[2]#l]=rt24#l]s[21+pI246S(231#llP[26J. 

.K[2y.C[2S[233]]#l|1|]=y[4#l]C[2SI23]]+pI24eS[233]#l|1|]P[26]. 

.K(2s[24S]#l]=s[24S#l]Y(2l-T[4SI233]#l]PI26]. 

•K[2r(2].T[2]#l]=r[24#l3T[2]+p[246T[2&1]#l]P[26], 

•K[2J[2](x[2]).T[2&1l#l]=J[2](xI24#l])T(2&1]+pl246T[233l#l]P[26]. 

•K[2s[24T|#l]=s[24T#l]Y[2]-T[4T[233]#l]P[26]. 

•K[25U[26&1]#l]=UI25:l-irF(26:l|0.0.0|l(x[24#ll)+p[2456UI25&1]#l]P[26]. 

•K[2A.PI2]#l]=A[4#l]Pt2]+p(2456A#llPt26].KI2A,C[2X]#ll=A[4#l]C[2A#ll+p[2456A#ll 
P[26]. 

.A[4L#ll={A[4#l|L(w)|]}.NOT(A)[4L#l]={NOT(A)[4#l|L(w)|]},K[2U(25&2]#l]=F[25:l|At4 
L]00|NOT(A)[4L]00](1)*U[25&1]+p[2456U[25&2]#l]P[26]. 

•A[4R#l]={A[4#l|R(w)|l).NOT(A)I4R#l]={NOT(A)[4R(w)#ll}.K[2U[25&3]#ll=F[25:l|0A[ 
4R10|0NOT(A)[4R]0](1)*U[25&21+p[2456U[25&31#llP[26]. 

.At4R#ll={A[4R(w)#l]}.NOT(A)t4R#IJ={NOT(A)[4R(w)#l]}.K[2UI235:l]#l]=F[25:l|00A[ 
4]|00NOT(A)[4]l(1)*U[25&3], 

•K[2y.C[2T[2335:l]]#l|1|]=y[4#l]C[2U[235:l]]+p[2456TI2335:l]#l|1|]P[26l. 
•K[2s[245Ul#ll=s[245U#l]Y(2]-T(4T[2335:l]#l]P[26], 

Furthermore, the following expressions are calculated. 
c[#IJ=Hash(DATA1 1-1 . B0DY1 1.C[2x[2]#l].CI2SI23]#ll.(C[2S[231#l| 1 n.C[2S[23]#l 
|2|]).C[y.C[2S[23]]#l|1|l,C[2T(2&1]#l].C[2T[233]#l].(C[2TI23:l]#II1|].C[2TI23:l]#l 
|21]).C[2T[2331#l].Kt2s[24T]#l]=s[24T#l]Y[2]c[25U[25&1)#ll.C(2A#i].CI2NOT(A)#l]. 
C[2UI25&21#I].C[2U[25&3]#I],C(2U[235:I]#I1.(C[2U[235:I]#I|1|1.C[2U[235:I]#I|2|]).C[ 
y.C[2U[235:l]]#l|1|].C[2T[2335:l]#l|2|].K[2&1|awWh|].K[2&n|awWh|].K[2x[2]#l].K[2J 
[2](x).Q[2]#l].KI2y#l].K[2r[2].s[2]#l].K[2y.C[2S[233]]#l|1|].K[2s[24Sl#l].K[2rI21.TI2]# 
l].K[2J[2l(x[2l),T(2&1]#l].K(25U[25&1]#l].K[2A.P[2l#l].K[2A.C[2A}#l].K[2U[25&^^^ 
K[2U[25&3l#ll.K[2Ul23S:l)#l).K[2y.C[2T(2335:l]l#l|1|].K[2s[245Ul#l].). 
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Wherein Hash denotes a Fp value hash function. 
Then, the following expressions are performed. 
•In the case of x[2|awWh|]P[2BI=1, 

•With respect to each owWhc. [2&1|awWh|l=c[#l]-cI2&njawWh|] is set to 
calculate x[29&1 |awWh|]=c[2&1 |awWh|](x[26|a|))[|wWh|]+x[246&1 jawWh|J. 

• In the case of x{2|awWh|]P[2B]=n. 

•With respect to each awWh, c[2&n|awWhi]=c[#ll-c[2&1 |awWh|] is set to 
calculate x[29&n|a\ftAA/h|]=cl2&n|awWh|l(x[26|a|])[|wWh|l+x[246&n|awWh|]. 
establishing (c[#l]c[2&i |awM/h|],x[29&1 |awWh|l).c[2&n|awWh|l.x[29&nIawWh|l)). 
Moreover, the following expressions are performed. 

•x[28#IJ=c[#l]x[2#l]+x[24#l].x[268#l]=c[#l]xl26#l]+x[246#l]. 
•y[8#l]=c[#IM#ll+y[4#i], 

•r[28#l]=c[#l]r(2#l]+r[24#l].p(268S[23)#l)=c[#l]p[26St23]#l]-»-p[246S[23]#l]. 

•rI8#lJ=c[#l]r(2#l]+rt24#l],pI268S[233]#l|2|]=cI#l]p[26#l|S(233]||2|3+p[246S[2331#l| 
2|]. 

•st28S#l]='C(#l]s[24S#ll+s[24S#l].T[8S[233]#l]=c[#l]T[S[233]#ll+T[4S[2331#l]. 
•rI28#l]=c[#llr[2#l]+r[24#l].p[268T[2&1 ]#l]=c[#l]p[28T[2&1 ]#l]+p[246T[2&1 ]#l]. 
•p[268T(233]#l]=c(#l3p[26T[233]#l]+p[246T[233]#l), 

•r[8#l]=c[#l]r[2#l]+r[24#l].pl268T[233]#l|2|]=c[#l]p[26TI233]#l|211+p[246#l|T[233J|| 
2|]. 

•s[28T#l]=c[#l]sI24T#l]+s[24T#l],Tl8T(233]#l]=c[#l]Trr[2331#l]+T[4T[233]#l]. 
•p[2568U[25&1 1#I]=c[#QpC256U[25&1 ]#l]+pt24S6U[25&1 ]#|], 
•A[8#IJ=c[#l]A[#l]+A[4#l].pI2568A#I]=c[#l]p[256A#l]+p[2456A#l]. 

• NOT(A)(8#l]=c[#l]NOT(A)[#l]+NOT(A)[4#IJ, 

p[2568U[25&2]#l]=c[#l]p[256U[25&21#l]+p[2456U[25&2]#l]P[26]. 

•p{2568U[25&3]#l]=c[#l]p[256U(25&3]#l]+p[2456U[25&3]#l]P[26], 

•r[8#l]=c[#l]r[2#l]+rI24#l].pI2568T[2335:ll#l|2|]=c[#l]p[256T[2335:l]#l|2|]+p(2456T( 
2335:il#l|2|]. 
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•s[258U#l]=c[#l]sI245U#l]+s[245U#l]. 
T[8T[233S:l]#l]=c[#l]T[T[2335:l]#l]+T[4T[2335:l]#l]. 

Then, the following expressions are established. 
PROOF1l=(C[2x[2]#l].C(2S[23]#l],(C[2S[23l#l|1|].C[2S[23]#l|2|l).C[y.C[2S[23]]#l|1 
|].C(2T[2&1]#l].C[2Tl233]#l],(C[2T[23:l]#l|1|].C[2T[23:l]#l|2|]).C[2T[233]#l].c[25U[2 
5&1]#l],C[2A#l].C[2NOT(A)#l].C[2U[25&2]#l].C[2U[25&3]#l],C[2U[235:l]#l].(C[2U[2 
35:l]#l|1l].Cl2U[235:l]#l|2|]).C[y.C[2U[235:l]]#l|1|].C[2T[2335:iI#l|2|l.K[2&1|a\fl^^ 
K[2&n|avAAA/h|],K(2x[21#l].K[2J[2](x).Q[21#ll.K[2y#l],K[2r[2].s[21#Q.K[2y.C[2S[233n^ 
l|1|l,Kl2s[24S]#l].K[2r(2]T(2l#l].K[2J[2](x[2]).T[2&1l#l].K[2s[24Tl#l].K^^ 

l,KI2AP(2]#l].K[2A.C[2Api.K[2U[25&2]#l].KI2U[25&31#ll,K[2Ut235:l]#ll.K[2y.C[2T^ 

2335:aP|1|].K[2st245U]#n.c[#l].x[29&1|a\«Mm|l).xI29&n|avyMm|])).x[28#l],xt268# 

.y[8#l].r[28#l].p[268S[23]#l]r[8#!]p[268S[233]#l|2|ls[28S#l]r[28#l]p[268T[2&1]#l]p[ 

268TI233]#llr[8#l]p[268T[233]#l|2|]p[2568U[25&1]#l].AI8#l].p[2568A#l].NOT(A)[8#l 

l,p[2568U[25&2]#l].p[2568U[25&3]#l].r[8#l]p(2568T[2335:l]#l|2|]s[258U#l]). 

[Detail of the validity proof verification 1502 for the calculation of the first 

cycle] 

After receiving PROOF1I, UI+1 checks the following data. 
•c[#ll=Hash(DATA1l- 

1 .BODY1l.C[2x[2]#l],C[2S[23l#l).(C[2S[23]#II1 |],C[2S[23]#l|2|]),C[y.C[2S[23]]#l|1 11 

,C[2T[2&1]#l],C[2T[233]#l].(C[2T[23:l]#ll1|],C[2T[23:ll#l|2|]).C[2T[233]#l],K[2s[24T 

]#llc[25UI25&1]#l].C[2A#ll.CI2NOT(A)#ll.C[2U[25&2]#l].C[2U[25&3]#l].C[2U[235:l] 

#I1.(C(2U[236:I]#I|1 |].C[2U[235:l]#l|2|]).CIy.C[2U[235:l]]#l|1 |],C(2T(2335:I]#I|2|],K[2 

&1|avyWh|].K[2&n|awWh|].K[2x[2]#l].K[2J[2](x),Q[2]#l].K[2y#l].K(2r[2].sI2]#ll.K[^^^ 

Cl2S[233J]#l|1|].K[2sI24Sp].K[2rl2].T[2]#ll.Kl2J[2l(x[2]).T[2&1]#ll,K[25U[25&1]#ll 

.K[2A,P[21#i).K[2A.C[2A]#l].K[2U[25&2]#l].K[2U[25&3]#ll.K[2U[235:l]#l],KI2y.C[2T[ 

2335:l]]#l|1|l.K[2st245U]#l].). 

•With respect to each awWh, the following expressions are established. 
•c[#ll=cl2&1 |awWh|]+c[2&n|awWh|],x{29S.1|awWh|] P[6B1 
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CI2&1 |awWh|](C[2x[2]|awWh|]-P[2B])+K[2&1 IawWh|].x[29&1 |awWh|] P[6B] 

cI2&n|awWh|](CI2x[21|awWh|]-nPl2B])+K[2&n|awWh|] 

It is checked whether or not the following expressions are established. 
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x[28*l3P[2]+x[28#l]P[26] = 
cttl]C[2x[23#l]4K[2)(t2]#l], 

J[2](xC28#l])Q[2#l] = JC2](c[#I])0C2»|]+k[2JC2](x),Q(2]»I], 
y[B«l] e Fp, 

v[8i}l]P[2] =ettll(rC2:l]-r[2]) +Kt2y#li. 
y[8«l] s Fp. 

r[28«l]s[2:l-l] 
+ 

pC268S[23]#l3PC26] 

c[«l]C[2S[23]#l] + K[2r[2],s[2]#l]. 

c[»l]cC2y,CC2S(23]]«ini3 
+ 

Ki:2y,C[2S[23]]»in|] 

y[8t^i]C[2S[23]|l|2|] 
+ 

p [268S(233]»I |21]P[26A[12]]. 

c[#l](s[Z#l]-C[2S(233]«l]) 

K£2s[24S]«l] 

sC28Sttl]Y[:i] 

X C8S[2333lll]P[2], 

r|j28#l]T[2:l-ll 

/>[268T[2&llftl]P[ZG] 

c[»>]C[2T[2&ll#|] + K[2r[2].T[2]#ll, 

J[2](x(28}|l])T[2&1:U1] 

p[26eT[233]4l]P[26] 

c[«l]C[2T[233]#l] ♦ K[2r[2].T[2il]*l]. 

c[#0C[2y.C[2T[23:il3#l|1|] 

K[2y,CC2T[23:il3#l|1l3 

y[88l]C[2T[23:l3#ll2l3 
+ 

p C268T(2333#I |2l3Pt26A[l233, 
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c[#l](TC2#l]-CC2T[2333#l]) 
+ 

K[2s[24T3#1] 
s[28T#l]Y[:i] 

r [8T[233]#I]P[2], 

r[28#l]eA[l2Fp]. 

U[25: l-l]*F[25: 1 10,0.0|] (x[28#l]) 
+ 

/>[2568U[25&l]#l3P[26] 

c[#l]cC25U[25&l]#l] 
+ 

KC25U[25&1]#I], 

With respect to each wWi j k, i [6] , j [6] . k[6] 

A [8# 1 1 WW 1 j k I i [6] , j [6] , k [6] ] e p \s established. 



A[8#l]P[2]+p[2568A#l]Pl26]=cI#llC[2A#l]+K[2A.P(21#l].A[B#l]C[2Mll+p[2568A#l]P[2 

6]=c[#l]C[2A#l]+K[2A,Ct2Al#l], 

•C[2NOT(A)#ll=P[2]-CI2A#l], 

•c[#l]C[2U[25&2]#ll+K[2U[25&2l#ll=Fl25:l|AI8Ll00|NOT(A)[8L]00](1)*U[25&1l+p[2 
568U(25&2]#t]P[26], 

•c[#l]C[2UI25&3]#l]+K[2U[25&3]#l]=F[25:l|A[8Rip0|NOT(A)[8R100](1)''U[25&2j+p[ 
2568U[25&3]#I]P[261, 

•cI#llC[2U[235:l]#ll+K[2U[235:ip]=F[25:l|{00A[8]|00NOT(A)[8]](1)-U(25&3]. 

•c[#l]C[2y.C[2U[235:ipi|1|]+K(2y.C[2Ut236:l]]#l|1|]=y[8#l]C[2U(235:l]#l|2|l+p[256 

8T(2335:l]#l|2l]P[26A(12]). 

•c(#l](U[2#ll-Ct2T[2335:l]#ll)+Kl2s[245U]#l]=s[258U#llY[:ll-T[8T(2335:l]#l]P[21. 
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[Validity proof for the calculation of the second cycle] 
[Detail of the validity proof verification 1507 for the calculation of the 
second cycle] 

Ul randomly selects the following. 

y[4&l] € Fp 

Then, PROOF2I is calculated as follows. 
•P[4&l]=y[4&l]P,©[4&l|1 |]=y[4&l]©[&|| 1 1]. 
•c[&l]=Hash(DATA2l-1 || BODY2|.1|| P[4&l] || 0t4&l]), 
•y[8&l]=cl&l]y[&l]+yl4&l], 
•PROOF2l=P[4&IJ II ©[4&l]|| c[&l] II y[8&l]. 

[Detail of the validity proof verification 1502 for the calculation of the 
second cycle] 

When receiving PROOF1I, UI+1 checks the following. 
•y[8&l]P=c(R[:l].R[:H]»+P[4] 
•y[8&l]0[8&l-1 |O|]=c(0[&H |0|]-©[&l|0|])+©[4&|.1 10|] 

Industrial Applicability 

The present invention is effective at an electronic bidding, an electronic 
auction, or the like in the case in which the bidder and the bidding price are 
desired to be determined while bidding prices of bidders other than a successful 
bidder are kept secret and, and at the same time there is a necessity in that a 
third party can verify that the determination is appropriately performed, or in the 
case in which a third party can verify that a voting count is appropriately 
performed in an electronic election while anonymity is kept. 

This is because with use of the present invention, if results of the above- 
mentioned bidding, auction, and election are made by a plurality of calculation 
devices, no one can newly obtain information other than the calculation result at 
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the same time the calculation validity can be verified by every one. Then, this 
calculation Is more effectively perfomied as compared with the prior art. In 
addition, the number of communications performed among the calculation 
devices Is low, so the time spent by the calcMlation devices to secure the 
communication lines is also low, which leads to the high efficiency. 



